This feature is available with the following pricing plans: Premium, Unlimited, Pay as You Grow

Webhooks sent by Northpass can be verified by calculating a digital signature.

Each Webhook request includes a X-Northpass-Hmac-SHA256 header which is generated using your school’s shared secret, along with the data sent in the request.

To verify that the request came from Northpass, compute the HMAC digest according to the following algorithm and compare it to the value in the X-Northpass-Hmac-SHA256 header. If they match, you can be sure that the Webhook was sent from Northpass and the data has not been compromised.

Note that if you are using a Rack based framework such as Ruby on Rails or Sinatra the header you are looking for is HTTP_X_Northpass_Hmac_SHA256

Below is a simple example in Ruby using the Sinatra web framework of how one might verify a webhook request.

require 'rubygems'require 'base64'require 'openssl'require 'sinatra'# The SchoolKeep app's shared secret, viewable from the Webhooks appSHARED_SECRET = 'my_shared_secret'helpers do  # Compare the computed HMAC digest based on the shared secret and the request contents  # to the reported HMAC in the headers  def verify_webhook(data, hmac_header)    digest  = OpenSSL::Digest::Digest.new('sha256')    calculated_hmac = Base64.encode64(OpenSSL::HMAC.digest(digest, SHARED_SECRET, data)).strip    calculated_hmac == hmac_header  endend# Respond to HTTP POST requests sent to this web servicepost '/' do  request.body.rewind  data = request.body.read  verified = verify_webhook(data, env["HTTP_X_Northpass_Hmac_SHA256"])  # Output 'true' or 'false'  puts "Webhook verified: #{verified}"end

Click here to see all articles related to API

Did this answer your question?