Webhook Verification
S
Sergio Leon
Agreed! HMAC validation using the Client Secret as key derivation material is the defacto standard for this.
Only caveat I would put, this needs to be opt-in, not like in the picture.
Requiring that the receiver verify the payload at the point of catching the webhook would harm integrators' ability to use off-the-shelf platforms.
Making it opt-in would also allow for store-and-forward architectures that defer evaluation of the signature (e.g/: enqueuing incoming messages and applying throtthling to smooth out peaks in resource utilization)
G
Georgi Anastasov
Yes, right now there is no way to verify if the webhook is actually coming from GHL, HMAC validation will be a great way to achieve this