Signing Webhooks

A recommended practice for Webhooks is to sign the payloads of the messages so that the receiver can verify the authenticity and integrity of the message.

The framework provides a mechanism to sign the payloads of the messages sent (as Sender) and to verify the signatures of the incoming messages (as Receiver).

Signature providers are implementations that use the payload of a webhook message and a secret key, to compute a signature to be attached to the webhook, by implementing the IWebhookSigner service contract.

By default, when registering a Webhook Sender service, the framework also registers an implementation of a signature provider for the 'HMAC-SHA-256' algorithm: it is possible to add custom ones by calling the method .AddSigner<TSigner>() of the service builder.

using System;

using Microsoft.Extensions.Configuration;

using Deveel.Webhooks;

namespace Example {
    public class Startup {
        public Startup(IConfiguration config) {
            Configuration = config;
        }
        
        public IConfiguration Configuration { get; }
        
        public void Configure(IServiceCollection services) {
            // ... add any other service you need ...
            // this call adds the basic services for sending of webhooks
            services.AddWebhookSender<MyWebook>(webhooks => {
                // Optional: if not configured by you, the service
                // Add a custom signature provider
                webhooks.AddSigner<MySigner>();
            });
        }
    }
}