App Marketplace – Security Update | Webhook Authentication

We are thrilled to announce an upgrade to our webhook authentication system!

This update introduces new security mechanisms designed to protect your integrations from replay attacks and ensure the authenticity of webhook payloads. Here’s everything you need to know about these enhancements.

Please note that these changes apply to All Webhooks.

1. Timestamp and Webhook ID:

Every webhook payload now includes:

1. Timestamp: A UTC timestamp indicating when the webhook was sent.
2. Webhook ID: A unique identifier for each webhook delivery.

These additions ensure that each webhook request can be uniquely identified and time-validated to prevent replay attacks.

2. x-wh-signature Header:

The x-wh-signature header is a new addition to webhook requests. It contains a digitally signed hash that verifies the payload’s integrity and authenticity. This signature can be verified using:

1. A public key (Refer to below docs)
2. The webhook payload.

This security update is aimed to improve the developer experience as well as maintain authenticity for the data sent out to developers as part of events. This would ensure higher reliability as well as enhanced capabilities for developers to explore. This update also enables developers to validate and ensure user trust as well.