Configuration

Webhooks are configured on a per-SignatureOrder basis.

You simply provide your webhook uri as part of creating a signature order (createSignatureOrder mutation) by adding it as an input variable webhook.uri as shown below.

​

Adding a webhook

​

Webhook verification with HMAC signature

You can add a cryptographically random secret to your webhook configuration, which will add a X-Criipto-Signature header containing a HMAC-SHA256 signature (as a base64 string) of the webhook request body (utf-8).

You can also try it out in our Webhook tester.

​

Node.js example

You can use the crypto library in Node.js to validate the webhook signature.

import crypto from 'crypto';

const secret = Buffer.from('...BASE64_SECRET...', 'base64');
const actual = headers.get('X-Criipto-Signature');
const expected = crypto.createHmac('sha256', secret).update('...RAW BODY...').digest('base64');

console.log(actual === expected);