Security

Survicate signs the webhook events it sends to your endpoints by including a signature in each event’s header. This allows you to verify that the events were sent by Survicate, not by a third party. Before you can verify signatures, you need to retrieve your Verification Token and/or Signing Secret from your Webhooks Settings section in the Survicate panel.

Verification token

The verification token is proof that the request is coming from Survicate on your behalf. You’ll find this value in the Webhooks Settings section of you app. Each webhook includes a verification token in Token header.

Be noted that the token is sent as plain text and hmac signature verification, which is described in the section below, is more secure.

Signing secret (recommended)

Survicate creates a unique string for your workspace and shares it with you. You can verify requests from Survicate with confidence by verifying signatures using your signing secret. Before you can verify signatures, you need to retrieve your webhooks Signing Secret from Webhooks Settings section in the Survicate panel.

Each webhook sent from Survicate on your behalf is signed with Signing Secret. Survicate generates signatures using a hash-based message authentication code (HMAC) with SHA-256. You can verify webhook events signatures by following these steps.

  1. Extract signature from the header Each webhook includes a hmac signature in Hmac header.
  2. Determine the expected signature Compute an HMAC with the SHA256 hash function. Use the signing secret as the key, and use the request body as the data to hash. Example: Make sure that the hash function in the programming language of your choice will return the hash in lowercase hexits.
  3. Compare the signatures Compare the signature extracted from the Hmac header to the expected signature.