| Key | Type | Description |
|---|---|---|
| X-Subtotal-Signature | string | HMAC of payload using shared secret |
| X-Subtotal-Timestamp | string | The timestamp of the webhook request |
Step 1: Prepare the signed_payload string
Concatenate the following to create the signed_payload string:
- The timestamp (as a string)
- A
.character - The request body (as a string)
Step 2: Compute the expected_signature
Compute the expected_signature using the HMAC-SHA256 hash function.
Use the webhook destination’s signing_secret as the key, and use the signed_payload string as the message.
The
signing_secret is obtained when a new webhook destination is created in the Subtotal Dashboard.Step 3: Compare the signatures
Compare theexpected_signature to the X-Subtotal-Signature.
To prevent replay attacks, compare the received timestamp to the current time and reject requests outside your tolerance window.
To protect against timing attacks, use a constant-time string comparison.