Verify Signatures

You must have the Developers permission to do this.

All webhook requests come with a signature in the fullmethod-signature header. This is a way to verify that the webhook request came from Go Method. You can perform a verification by providing the event payload, the fullmethod-signature header, and the endpoint's signature secret.

CAUTION: Go Method requires the raw body of the request to perform the signature verification. If you are using a framework that formats the JSON payload, make sure when performing the signature that it is off the raw body.

The fullmethod-signature header included in each webhook event contains a timestamp and one signature. The timestamp is prefixed by t=, and the signature is prefixed by a signature. For example: fullmethod-signature: t=1674781463,signature=7e36810445db0d5bdae0df891bf8be7be1b2d1f3

Get the timestamp and the signature.
1. Split the header using the , character as the separator to get the list of elements (t and signature).
2. Split each element using the = as the separator. The value for the prefix t is the timestamp of the request, and the signature is the actual signature for the request.
Create the signed payload. The signed payload string is created by concatenating the timestamp followed by a . and then the actual raw JSON payload.
1674781463.
{"recordId":20624,"changeType":"UPDATE","webhookEvent":"PARTICIPANT_PROFILE"}
Create the expected signature. Compute an HMAC with the SHA256 hash function. Use the webhook signature key as the key, and use the signed payload string (see previous step example) as the message.
Compare the signatures. Compare the signatures that you created with the signature from the fullmethod-signature header. Also, use a current timestamp against the timestamp in the signature header to determine if the difference between the timestamps is okay with you.

What would you like to know more about?

Verify Signatures

Footer Section

Additional Resources

Company

We’re here for you.