Skip to main content
  1. IP Whitelisting.
  2. Signature validation with secret and payload (x-dojah-signature).
  3. Signature validation with secret only (x-dojah-signature-v2).

​

​
IP Whitelisting.

With this method, you only allow certain IP addresses to access your webhook URL while blocking out others. Dojah will only send webhooks from these IP addresses: 20.112.64.208

​

​
Signature validation with secret and payload.

Events sent from Dojah carry the x-dojah-signature header. The value of this header is a HMAC SHA256 signature of the event payload signed using your secret key. Verifying the header signature should be done before processing the event: 
var crypto = require('crypto');
var secret = process.env.SECRET_KEY;

// Using Express
app.post("/webhookurl", function(req, res) {
    //validate event
    const hash = crypto.createHmac('sha256', secret).update(JSON.stringify(req.body)).digest('hex');

    if (hash == req.headers['x-dojah-signature']) {
    // Retrieve the request's body
    const event = req.body;
    // Do something with event  
    }
    res.send(200);
});

​
Signature validation with secret only.

Events sent from Dojah carry the x-dojah-signature-v2 header. The value of this header is a HMAC SHA256 signature of your secret key. Verifying the header signature should be done before processing the event: 
var crypto = require('crypto');
var secret = process.env.SECRET_KEY;
const encoder = new TextEncoder();

// Using Express
app.post("/webhookurl", async function(req, res) {
       
       //validate event

        const data = encoder.encode(secret);
        const hashBuffer = await crypto.subtle.digest('SHA-256', data);
        const hashArray = Array.from(new Uint8Array(hashBuffer));
        const hash = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');

    if (hash == req.headers['x-dojah-signature-v2']) {
    
    // i.e the hash generated matches with the header signature


    }
    res.send(200);
});