To verify a webhook request from BlockMark Registry, follow these steps:
Webhooks page in your BlockMark Registry organisation account. Store it securely in your application, such as in a .env file.node:crypto for Node.js) to create an HMAC using the sha256 algorithm and your webhook secret. Convert the HMAC to a hexadecimal string (hex).hex with the hex value in the X-Token header of the webhook request. If they match, the request is authentic.Below is an example of how to verify a webhook request using Node.js, Express and the crypto module. This code assumes the webhook secret is stored in an environment variable (SECRET_KEY).
const express = require('express');
const crypto = require('crypto');
const app = express();
app.use(express.json());
app.post('/example', (req, res) => {
const { headers } = req;
// Get the token from the headers
const xToken = headers['x-token'];
// Get the webhook secret from environment variables
const webhookSecret = process.env.SECRET_KEY;
// Generate HMAC and convert to hex
const generatedHex = crypto.createHmac('sha256', webhookSecret).digest('hex');
// Compare the generated hex with the header's token
if (!crypto.timingSafeEqual(Buffer.from(generatedHex, 'hex'), Buffer.from(xToken, 'hex'))) {
return res.status(400).send({ message: 'Invalid token provided' });
}
// Request is verified
return res.status(200).send({ message: 'Success' });
});
x-token header contains the hex value sent by BlockMark Registry.SECRET_KEY environment variable.crypto.createHmac function creates an HMAC using the sha256 algorithm and the secret key, then converts it to hex.crypto.timingSafeEqual function compares the generated hex with the header’s x-token value securely to prevent timing attacks.400 error is returned..env file or a secrets management service.crypto.timingSafeEqual to prevent timing attacks when comparing HMACs.X-Token header for every webhook request to ensure it originates from BlockMark Registry.