Localazy authenticates webhook events by including a signature in the request header. This security measure lets you verify that the events were genuinely sent by Localazy rather than a third party. This signature verification is important to implement on your receiving endpoint to ensure the security of your webhook integrations.
| Header name | Description | Type |
|---|---|---|
| X-Localazy-Timestamp | UNIX timestamps in seconds | string |
| X-Localazy-HMAC | HMAC SHA 256 of “{ts}-{raw post body}” signed by secret |
string |
Before you can verify signatures, you need to retrieve your project secret using the webhook secret endoint.
To verify that the request sent is valid (and therefore has not been modified during the transfer) calculate the hash of the request, and compare it with the value stored in the X-Localazy-HMAC header.
Learn more about Localazy Webhooks Security
Please help us with improving our documentation.
We appreciate all your feedback.