We recommend verifying each webhook request to make sure it comes from Ecwid and not altered or corrupted during transmission. You can do that by validating the webhook signature coming with each webhook.
Where to find the signature
A webhook signature is sent in the X-Ecwid-Webhook-Signature
HTTP header with each webhook request
How is the signature generated
The signature is an encoded string generated by concatenating the following webhook data (delimiter is a dot .
):
- eventCreated (webhook event timestamp)
- eventId (webhook event ID)
The resulting string is encoded using HMAC SHA-256 and using client_secret
as the shared secret key.
Important: client_secret
is not your access token that looks like secret_*
. It is a separate value you received, when you registered the application with Ecwid.
How to validate the signature
To verify a webhook in your application:
- Get the signature from the request headers
- Get
eventCreated
andeventId
values from the request body - Encode the string '{eventCreated}.{eventId}' using HMAC SHA256 (using
client_secret
as the shared secret key) and pass it through Base64 encoding - Compare the resulting string with the received webhook signature