Verify

Learn how to verify the authenticity of LiveSession webhook requests.

Quickstart

Before you proceed with responding to a webhook, it's crucial to ensure that the webhook originated from LiveSession. This verification can be accomplished by calculating a digital signature.

Every webhook request incorporates a base64-encoded HMAC-SHA256 signature included in LiveSession-Signature header. This header is created using the webhook's secret in conjunction with the data transmitted in the request.

To compute the HMAC digest, follow below written algorithm:

1import crypto from 'crypto';
2
3// Your webhook secret key
4const secretKey = 'your_secret_key_here';
5
6// Received data from the webhook payload
7const receivedData = 'received_data_here';
8
9// Received base64-encoded HMAC signature from the webhook headers
10const receivedSignatureBase64 = 'received_signature_here'; // Replace with actual received signature
11
12// Function to compute HMAC-SHA256 signature and return base64-encoded result
13function computeHmacSha256Base64(data, secretKey) {
14    const hmac = crypto.createHmac('sha256', secretKey);
15    hmac.update(data);
16
17    return hmac.digest('base64');
18}
19
20// Calculate the base64-encoded HMAC-SHA256 signature for the received data
21const calculatedSignatureBase64 = computeHmacSha256Base64(receivedData, secretKey);
22
23// Compare the received signature with the calculated signature
24if (receivedSignatureBase64 === calculatedSignatureBase64) {
25    console.log('Webhook signature is valid. Request is authentic.');
26} else {
27    console.log('Webhook signature is invalid. Request might be tampered.');
28}

Delivery