Signature Validation

Signature validation

Since your webhook URL is publicly available, you need to verify that events are truly originating from Curacel and not an unauthorized entity. Therefore, you need to check for authenticity using the Webhook Secret which you generate from your dashboard.

The events sent from Curacel carry the x-curacel-signature header. The value of this header is an HMAC SHA256 signature of the event payload signed using your webhook secret. Verifying the header signature should be done before processing the event:

// ensure it's post request with the curacel signature header
if ((strtoupper($_SERVER['REQUEST_METHOD']) != 'POST' ) || !array_key_exists('x-curacel-signature', $_SERVER) ) 

// Retrieve the request's body
$input = @file_get_contents("php://input");

// validate event
if($_SERVER['HTTP_X_CURACEL_SIGNATURE'] !== hash_hmac('sha256', $input, WEBHOOK_SECRET))


// parse event (which is json string) as object
// Do something - that will not take long - with $event
$event = json_decode($input);

var crypto = require('crypto');
var secret = process.env.WEBHOOK_SECRET;

// Using Express.js"/my/webhook/url", function(req, res) {
    //validate event
    const hash = crypto.createHmac('sha256', secret).update(JSON.stringify(req.body)).digest('hex');
    if (hash == req.headers['x-curacel-signature']) {
        // Retrieve the request's body
        const event = req.body;
        // Do something with event.