If a webhook URL was provided while creating an engagement, the request will contain the header SparkAI-Signature. This header will identify that the request is coming from SparkAI, to prevent replay attacks.
Each user/robot can have up to 1 webhook token, which will be used to hash the payload. This signature uses SHA-256 to create a hash-based message authentication code (HMAC) on top of the payload.
Verifying using SparkAI Client
You can use the official client to validate the signature and check the request's origin, using the header, the body, and your secret.
validate_webhook_secret(request_header, request_body, self_secret)
Verifying manually
The header includes a timestamp t and a signature v1, as shown below:
SparkAI-Signature: t=1655816849109,v1=f2a1f123e5a1234c3a018c748c4e123dfaabe5af12cb8bdb1d6e4521fb12b123
Step 1: Extract the fields t and v1 from the header, separately.
Step 2: Generate the payload using the timestamp and the request body, separated by a dot, as shown below:
TIMESTAMP_AS_STRING.JSON_REQUEST_BODY
Step 3: Use your secret token to create an HMAC with SHA256.
The request is valid if the header signature matches the one generated through this process.