Skip to main content

Verify Donorbox webhook notifications

Harish Premkumar
Updated

It is important for any application to verify that the webhook it received indeed originated from the actual source. To enable the client applications to verify the originality of Donorbox webhooks, Donorbox includes a special header Donorbox-Signature in each webhook notification. The value in this header contains a timestamp and a signature that can be verified. The timestamp and signature are separated by a comma as shown in the below example:

 

Donorbox-Signature: 1691135469,5a4b8558181215c09d565ffc5d54be0303f370f6746384eb5eced4125fd8c971

 

This signature is signed using Signature Secret which is a uniquely generated string for each webhook endpoint. To fetch the Signature Secret of your custom webhook endpoint, navigate to "Integrations & Addons", and click on one of the records under the "CustomWebhooks" section to access its details page. On the custom webhook details page, you will see the "Signature Secret" key as shown below. Make sure to copy this and store it in a secured place.

 

Now that you know where to find the signature secret for your webhook endpoint, follow these steps to validate the signature received in the request header when Donorbox notifies the endpoint URL:
 

1. Extract the timestamp and signatures from the header Donorbox-Signature 

Split the header using the , character as the separator. The first part of the header string represents the timestamp, and the second part represents the signature.

2. Generate a string by concatenating the timestamp, the character . and the request body

3. Determine the expected signature by computing an HMAC with the SHA256 hash function. Use the endpoint's Signature Secret as the key, and the string generated in the previous step as the message.

4. Validate the request

  • Compare the signature in the header to ensure it matches the expected signature. Reject the request if it doesn't match.
  • And also compare the difference between the received timestamp and the current timestamp. One can expect the received timestamp to be not older than 30 seconds or a minute.

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk