Webhook Checksum

Suggest Edits

As an additional security layer, we added a checksum property to the header of the request you will get from Oneliquidity. This is to ensure, that the request is from our API.

Below is an example of a request body:

{
    "event": "AN_EVENT_NAME",
    "message": "A descriptive message",
    "data": {
        "userId": "2dc3204f-a6c6-51aa-8db2-aa9792b19a89",
    }
}

Below is an example of a checksum signature:

{
  	"x-oneliquidity-signature": "c0c4ff5f2b32d2bb09ad6f791b50d0cf95e67cd62e4f611a0d37b382197a87a4",
}

In order to generate the checksum, we concatenated all the object values into a string (stringify). Based on the example above, the result after concatenating the string would be:

AN_EVENT_NAMEA descriptive message2dc3204f-a6c6-51aa-8db2-aa9792b19a89

Then we create a HMAC SHA-256 encoded hash (the returned hash is in the hex format), using the integratorId of the integrator to receive the request as the hash key/secret.

In order to validate the checksum, you will need to repeat these steps on your system, using your integratorId as the key/secret.

If the two checksums match, you can be certain that the request originated from Oneliquidity's system.

Updated over 1 year ago