WebHook Security

If you provide an HTTPS endpoint for your webhook, your webhook requests will be signed using so that you can be sure that the request came from Hu:toma and not from anyone else.

The raw content of HTTP body of your webhook will be used, using the HMAC SHA256 algorithm and your webhook signing secret: the result will be put in the X-Hub-Signature header.

Example code

There is an example in Python of how to validate a webhook signature on our public GitHub repository.

Getting the signing secret

To access your webhook signing secret, go to the Settings page for your bot.

You must never share this secret with anyone, or post it in a public place, as this secret would allow others to sign HTTPS requests that make it appear they are from the Hu:toma platform.

You should see the webhook signing secret under the "API Keys" section.

API section with webhook secret. 

When a bot is first created, this secret is blank until either a secured HTTPS webhook is called, or the secret is regenerated manually.

Regenerating the webhook signing secret

If you need to regenerate a new webhook signing secret, press the regenerate button to the right of where the secret is shown. An example of when you might want to do this is if your webhook signing secret has been compromised.

Changing secret will cause any existing webhook validation code to fail, as the signatures will differ with the new secret. For this reason, a warning will appear if you regenerate the secret. If you are setting up webhook signature validation for the first time you can safely ignore this warning.

How did we do?