If a webhook URL was provided while creating an engagement, the request will contain the header SparkAI-Signature. This header will identify that the request is coming from SparkAI, to prevent replay attacks.
Each user/robot can have up to 1 webhook token, which will be used to hash the payload. This signature uses SHA-256 to create a hash-based message authentication code (HMAC) on top of the payload.
You can use the official client to validate the signature and check the request's origin, using the header, the body, and your secret.
validate_webhook_secret(request_header, request_body, self_secret)
The header includes a timestamp t and a signature v1, as shown below:
Step 1: Extract the fields t and v1 from the header, separately.
Step 2: Generate the payload using the timestamp and the request body, separated by a dot, as shown below:
Step 3: Use your secret token to create an HMAC with SHA256.
The request is valid if the header signature matches the one generated through this process.