Webhooks authentication

You need to secure your integration by making sure your handler verifies that all webhook requests are generated by BeeFast.

Each request includes a X-Beefast-Signature header which contains the generated signature using a hash-based message authentication code (HMAC) with SHA-256.

To verify the signature you must complete the following steps:

Extract the timestamp and the signature from the header

Split the header using the , character as the separator to get a list of elements. Then split each element using the = character as the separator to get a prefix and value pair.

The value for the prefix t corresponds to the timestamp, and s corresponds to the signature.

Prepare the `signed_payload` string

The signed_payload string is created by concatenating:

The timestamp (as a string)
The character .
The actual JSON payload (that is, the request body)

Example: "1752144585.{"id":"15037483344643960","event":"DELIVERY_STATUS_CHANGED","requestTs":1752144585,"data":{"deliveryID":"iy0sW9zGrsEzGUNr0Vn1__deliv__JQ6XKvRd3bj1eCH3xRRy","statusChangeAtTs":1752144577,"status":"IN_DELIVERY_GOING_TO_PICKUP"}}"

Determine the expected signature

Compute an HMAC with the SHA256 hash function. Use the endpoint’s secret (generated when adding the webhook on client's page) as the key, and use the signed_payload string as the message.

Compare the signatures

Compare the signature in the header to the expected signature.

PreviousWebhook event types NextWebhooks observability

Last updated 1 month ago

Extract the timestamp and the signature from the header

Prepare the signed_payload string

Determine the expected signature

Compare the signatures

Prepare the `signed_payload` string