Webhook Object Details

Webhook Format

Best key to Query The _rest key is the best key to query by, as it matches what you receive from the API.

Webhook URL Response Object

HMAC for Webhooks

Every webhook is signed with HMAC.

HMAC is a protocol that helps you judge the authenticity of the received message. This comes in handy when you want to quickly find out whether the webhook was sent by Synapse or a malicious/notorious party.

The signature is a SHA-1 and SHA-256 HMAC hash of the object_id + your client_id, with the secret key as your client_secret.

Please note: Python (FullBody) uses the entire body of a webhook to create a signature, which can be used to rebuild a X-Synapse-Signature-SHA256-FullBody signature.

You will be able to rebuild the signature the following way:

import hmac 
from hashlib import sha1, sha256

key = 'your_client_secret'
raw = '{0}+{1}'.format(payload['_id']['$oid'],'your_client_id')

hashed_sha1 = hmac.new(key, raw, sha1)
hashed_sha256 = hmac.new(key, raw, sha256)

# The signature
print hashed_sha1.hexdigest()
print hashed_sha256.hexdigest()

import hmac
from hashlib import sha1, sha256
import json

payload = {"key": "value"}

webhook = json.dumps(payload,sort_keys=True).encode('utf-8')

key = bytes('your_client_secret','utf-8')

hashed_sha256 = hmac.new(key, webhook, sha256)

# The signature
print(hashed_sha256.hexdigest())

Please note that raw should look like this (with +): 563db3fb86c27307d925871f+e3f19e4bd4022c86e7f2

Not like this (without +): 563db3fb86c27307d925871fe3f19e4bd4022c86e7f2.

Since the SHA-1 signature is in hex, it should look like this:5bce964c20b0c36313d8f7cffc2ff4772d0c96750

We then take this signature and add it into the header of the request with name X-Synapse-Signature and X-Synapse-Signature-Sha256.

PreviousSubscription Object Details NextTesting on UAT

Last updated 1 year ago