post https://apis.elai.io/api/v1/webhook/secret
You can use this endpoint to specify your own secret key for webhooks signing. Ensure your server is only receiving the expected Elai requests for security reasons.
How do you verify our signatures?
Each of our request contains two extra headers: Elai-Timestamp and Elai-Signature.
Elai-Signature is based on concatenation of two important fields in every webhook triggering:
const message = [elaiTimestampFromHeader, payloadFromBody].join('.')
The signature by itself is an HMAC created using the SHA256 hash function, by signing the message using the your webhook secret as the signing key.
const crypto = require('crypto')
const hmac = crypto.createHmac('sha256', webhookSecretToken)
hmac.update(message)
const signature = hmac.digest('hex')
// and check it
signature === req.headers['Elai-Signature']