In order to verify that a webhook event reaching your environment was genuinely issued by OnCall, it is best practice to authenticate inbound requests.

When webhook authentication is enabled, OnCall will attach a signature the header of each request sent to your environment. The signature will in a header called OnCall-Signature. We utilize HMAC-SHA512 as the signing algorithm.

Validating Webhook Events

  1. Ensure your service is storing your API secret. If you don't have this secret, please reach out to your account manager to retreive it.
  2. For each request, generate a signature using HMAC-SHA512. The message input will be the body of the webhook HTTP request, and the secret will be your API secret
  3. Compare this output to the signature that was attached in the OnCall-Signature header. If it matches, then the request is genuine.