{"_id":"59a5d789428df70039d30c38","project":"556dd000d0f4740d00380dfd","version":{"_id":"556dd000d0f4740d00380e00","project":"556dd000d0f4740d00380dfd","__v":14,"createdAt":"2015-06-02T15:47:12.583Z","releaseDate":"2015-06-02T15:47:12.583Z","categories":["556dd001d0f4740d00380e01","556e17023f11b01900a36978","556eff53fc3aa80d00e1aa67","557078cf910c090d00c43414","557078dc9ea7860d008b24ed","5571a533dbb3632100974aed","5571c4ed6d8908230061f39e","5575b9b10b81dc230069c981","5580706cbe698419008f2ca7","55a4117d53611017004387d4","58502492f744712700462b20","588279ccd63d450f00e1aa58","59e76819193831002803721e","5a6899886b88e400403c3ce5"],"is_deprecated":false,"is_hidden":false,"is_beta":true,"is_stable":true,"codename":"","version_clean":"2.0.0","version":"2"},"category":{"_id":"58502492f744712700462b20","project":"556dd000d0f4740d00380dfd","__v":0,"version":"556dd000d0f4740d00380e00","sync":{"url":"","isSync":false},"reference":true,"createdAt":"2016-12-13T16:40:50.101Z","from_sync":false,"order":9,"slug":"webhooks","title":"Webhooks"},"user":"5511c42d979eaf0d00649d7a","githubsync":"","__v":0,"parentDoc":null,"metadata":{"title":"","description":"","image":[]},"updates":[],"next":{"pages":[],"description":""},"createdAt":"2017-08-29T21:07:21.733Z","link_external":false,"link_url":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":true,"order":8,"body":"When receiving webhook payloads from Tradier you can verify the digital signature of the webhook that you receive on your endpoint. By default, Tradier will use your Client Secret to add a signature that is delivered via the `x-webhook-signature` header along with webhook payloads.\n\nFor an added measure of security, when creating a webhook you can define a custom `secret` that is used to sign the webhook payload in lieu of your Client Secret.\n[block:api-header]\n{\n  \"title\": \"Verifying Webhook Payloads\"\n}\n[/block]\nTradier uses HMAC-SHA256 to compute the hash that is delivered in the header. For example, let's assume you've set the secret for a webhook to `my_webhook_secret`. The body of the webhook payload is hashed and the resulting hash is delivered in the `x-webhook-signature` header:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"POST /yourtradier/webhook HTTP/1.1\\nContent-Type: application/json; charset=utf-8\\nHost: yourhost.com\\nx-webhook-signature: 617b9e5b2fb70b0107cb1f59a7d13b096576de5702306c57c63315787e47a145\\nConnection: close\\nContent-Length: 96\\n\\n{\\\"applicationId\\\": 5,\\\"clearingAccount\\\": \\\"1234\\\",\\\"action\\\": \\\"SUBMITTED\\\",\\\"email\\\": \\\"test:::at:::example.com\\\"}\",\n      \"language\": \"http\"\n    }\n  ]\n}\n[/block]\nTo verify the payload, you would then use the `secret` and the `body` of the webhook to generate a local hash that you could then use for comparison:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"body = '{\\\"applicationId\\\": 5,\\\"clearingAccount\\\": \\\"1234\\\",\\\"action\\\": \\\"SUBMITTED\\\",\\\"email\\\": \\\"test@example.com\\\"}'\\nsecret = 'my_webhook_secret'\\nsig = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), secret, body)\\n\\n# ensure that the signatures match\\nrequest.headers['x-webhook-signature'] == sig\\n\\nRack::Utils.secure_compare(sig, request.headers['x-webhook-signature'])\",\n      \"language\": \"ruby\"\n    }\n  ]\n}\n[/block]\nNote that it is best not to use a equivalency checker like `==` but rather to find a library that can do a secure comparison of the two values and lessens the risk of a timing attack.","excerpt":"","slug":"securing-webhooks","type":"basic","title":"Securing Webhooks"}
When receiving webhook payloads from Tradier you can verify the digital signature of the webhook that you receive on your endpoint. By default, Tradier will use your Client Secret to add a signature that is delivered via the `x-webhook-signature` header along with webhook payloads. For an added measure of security, when creating a webhook you can define a custom `secret` that is used to sign the webhook payload in lieu of your Client Secret. [block:api-header] { "title": "Verifying Webhook Payloads" } [/block] Tradier uses HMAC-SHA256 to compute the hash that is delivered in the header. For example, let's assume you've set the secret for a webhook to `my_webhook_secret`. The body of the webhook payload is hashed and the resulting hash is delivered in the `x-webhook-signature` header: [block:code] { "codes": [ { "code": "POST /yourtradier/webhook HTTP/1.1\nContent-Type: application/json; charset=utf-8\nHost: yourhost.com\nx-webhook-signature: 617b9e5b2fb70b0107cb1f59a7d13b096576de5702306c57c63315787e47a145\nConnection: close\nContent-Length: 96\n\n{\"applicationId\": 5,\"clearingAccount\": \"1234\",\"action\": \"SUBMITTED\",\"email\": \"test@example.com\"}", "language": "http" } ] } [/block] To verify the payload, you would then use the `secret` and the `body` of the webhook to generate a local hash that you could then use for comparison: [block:code] { "codes": [ { "code": "body = '{\"applicationId\": 5,\"clearingAccount\": \"1234\",\"action\": \"SUBMITTED\",\"email\": \"test@example.com\"}'\nsecret = 'my_webhook_secret'\nsig = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), secret, body)\n\n# ensure that the signatures match\nrequest.headers['x-webhook-signature'] == sig\n\nRack::Utils.secure_compare(sig, request.headers['x-webhook-signature'])", "language": "ruby" } ] } [/block] Note that it is best not to use a equivalency checker like `==` but rather to find a library that can do a secure comparison of the two values and lessens the risk of a timing attack.