Links

Signature verification

Signature verification is crucial for ensuring the integrity and authenticity of the data received. It involves verifying that the data was sent by Xumm and has not been tampered with.
If you want to make sure a WebHook received by your platform has been sent by the Xumm platform, verify the signature the platform sends in an HTTP header.
Every WebHook call contains a signature to verify the authenticity. It sends an HMAC using your application secret as a key. Sample verification in NodeJS:
import crypto from 'crypto'
// Xumm App secret (Xumm developer console)
const secret = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
const timestamp = req.headers?.['x-xumm-request-timestamp'] || ''
const json = req.body
const hmac = crypto.createHmac('sha1', secret.replace('-', ''))
.update(timestamp + JSON.stringify(json))
.digest('hex')
console.log(hmac, hmac === req.headers?.['x-xumm-request-signature'])