In order to verify that a webhook event reaching your environment was genuinely issued by OnCall, it is best practice to authenticate inbound requests.
When webhook authentication is enabled, OnCall will attach a signature the header of each request sent to your environment. The signature will in a header called
OnCall-Signature. We utilize HMAC-SHA512 as the signing algorithm.
Validating Webhook Events
- Ensure your service is storing your API secret. If you don't have this secret, please reach out to your account manager to retreive it.
- For each request, generate a signature using HMAC-SHA512. The message input will be the body of the webhook HTTP request, and the secret will be your API secret
- Compare this output to the signature that was attached in the
OnCall-Signatureheader. If it matches, then the request is genuine.