When you receive events through a webhook, you need to ensure the messages are actually from the event streaming and not from someone else. Each message from event streaming comes with a signature that helps you verify its origin.

Steps to Validate the Message Signature

Look for the Signature: Every message from event streaming has a signature attached as an HTTP header with the key x-bd-webhooks-signature.
Recreate the Signature: You need to recreate the signature on your side and compare it with the one that came with the message.
Compare Signatures: The message is valid if the recreated signature matches the one from the message. If there is no signature or the signatures don't match, ignore the message because it's not from event streaming.

Signature Schematics

The message signature is an HMAC using the SHA-256 hashing algorithm. The key of the HMAC is the webhook secret, which is registered in its settings for event streaming. The same secret is used for the Challenge Response Check (CRC) as documented here.

The payload of the HMAC is the HTTP request body. The HMAC is then base64 encoded and prefixed with the string sha256=.

Example Code to Generate the Signature

Here’s a simple example in Go to generate the signature:

func GenerateSignature(mySecret string, payload \[]byte) string {  
	key := \[]byte(mySecret)  
	h := hmac.New(sha256.New, key)  
	h.Write(payload)  
	hash := h.Sum(nil)  
	encodedHash := base64.StdEncoding.EncodeToString(hash)  
	return "sha256=" + encodedHash  
}