Verifying Webhooks

Why Verify

Because of the way webhooks work, attackers can impersonate services by simply sending a fake webhook to an endpoint. Think about it: it's just an HTTP POST from an unknown source. This is a potential security hole for many applications, or at the very least, a source of problems.

In order to prevent it, Fyatu signs every webhook and its metadata with an encryption key for each request. This signature can then be used to verify the webhook indeed comes from Fyatu, and only process it if it is.

Did this page help you?