Webhooks

Request Signing

All outgoing webhook requests are cryptographically signed. The signature is sent with the HTTP request in the X-SME-Webhook-Signature header. Using the shared secret that is provided when the webhook is configured, partners can validate the origin and authenticity of incoming webhook requests.

Do not use IP address filtering

You might consider restricting the webhook endpoint using an IP address allow list. We strictly recommend against this approach because the IP addresses from which webhook requests are sent are unpredictable, and we are unable to provide a list of possible IP adresses.

Method

The signature is created by generating an HMAC hash of the HTTP request body using the partner's secret as the key and SHA256 as the hashing algorithm. Partners can do the same on their end and compare the signature.

Here is an example in Python:

import hashlib

import hmac



# `request` is the incoming HTTP request object

provided_signature = request.headers["x-sme-webhook-signature"]

secret = "the-partner's-secret-key"



hash = hmac.new(

    secret.encode("ascii"),

    request.body,

    hashlib.sha256,

)

calculated_signature = hash.hexdigest()



assert hmac.compare_digest(calculated_signature, provided_signature)
Previous
Payload
Next
Example