#Verify signature

Setu will sign every notification sent to your webhook endpoint by generating a signature and sending it in a custom header x-setu-signature.

This signature helps you to verify that the notifications were sent by Setu rather than a third party

#Generating the signature

Setu generates a signature using the Hash-based Message Authentication Code (HMAC). An HMAC is generated using a secret key in combination with a cryptographic hash function, SHA256.

This HMAC becomes the signature of the webhook, which is then used to authenticate the webhook and verify its payload.

You need to create a unique secret key for your webhook endpoint and this is shared between both the webhook producer (Setu) and consumer (you).

This secret usually is a alpha-numeric string and its length can vary between 20 to 50 characters. You can use this page to generate a unique secret.

#Verify the signature

To verify a signature, you need to extract the notifcation payload and the x-setu-signature header from the request received on your webhook endpoint.

Below are the code snippets for verification:

const crypto = require('crypto');
// Generate HMAC SHA-256 signature
function generateHMACSHA256(message, secret) {
    const hmac = crypto.createHmac('sha256', secret);
    hmac.update(message);
    return hmac.digest('base64');
}
// Verify HMAC SHA-256 signature
function verifyHMACSHA256(message, secret, signature) {
    const expectedSignature = generateHMACSHA256(message, secret);
    return crypto.timingSafeEqual(Buffer.from(signature, 'base64'), Buffer.from(expectedSignature, 'base64'));
}
const message = '{"id":"01J1ZBPW7Y8M6NV1YXJYGJST5Q","rrn":"418666712574"}';
const secret = "thisisasecretkey";
const signature = "x-setu-signature value"
const isValid = verifyHMACSHA256(message, secret, signature);
console.log("Is the signature valid?", isValid);