Skip to main content

Webhook Signatures

To help you secure your webhook handlers so that they only respond to events sent from Trophy and not malicious attackers, Trophy includes a webhook signature with every event. This signature is sent in the X-Trophy-Signature header and is a base64 encoded hash of the request payload, hashed using a secure webhook secret provided by Trophy.

Webhook Secrets

Each webhook you set up in Trophy has a unique webhook secret which you can access from the webhooks page in the Trophy dashboard.
Make sure you store your webhook secret in a secure environment variable and do not commit it to source control.

Securing Webhook Handlers

To validate that events your webhook handler receives do actually come from Trophy, you need to create your own hash using your secure webhook secret and compare it to the webhook signature in the X-Trophy-Signature header.
Once you have your webhook secret, you’re ready to start validating events. Here’s an example in NodeJS:
Validating Webhook Events
  // Extract X-Trophy-Signature header from the request
  const hmacHeader = request.headers.get("X-Trophy-Signature");

  // Create a hash based on the parsed body
  const hash = crypto
      .createHmac("sha256", process.env.TROPHY_WEBHOOK_SECRET as string)
      .update(await request.text())
      .digest("base64");

  // Compare the created hash with the value of the X-Trophy-Signature header
  if (hash === hmacHeader) {
      console.log("Webhook is originating from Trophy");
      // Request validated, continue processing
  } else {
      console.log("Signature is invalid, rejected");
      // Request is not from Trophy, reject with 4XX status
  }
If your handler detects a request that did not originate from Trophy, it’s important to reject the request as early as possible with a 4XX status code.

Get Support

Want to get in touch with the Trophy team? Reach out to us via email. We’re here to help!
I