Go to the Options step in the Campaign Editor.
In the Webhooks integration, click Show advanced webhook settings and enter the secret (it can be any string of text).
Publish/save your changes.
When your secret token has been set, GrowSurf uses it to create a hash signature to include in the header of each event notification payload.
The signature hash is passed along with each request in the header as
GrowSurf-Signature. You will need to compute a hash once the payload is received and compare it against the
GrowSurf-Signature value provided by GrowSurf within the header. Those steps are outlined below.
Split the header using the
, character as the separator to get a list of elements. Then split each element using the
= character as the separator to get a key/value pair.
The value for key/prefix
ts corresponds to the timestamp and the
v key/prefix corresponds to the signature you will use to compare your generated hash against.
Achieve this by concatenating:
The timestamp (as a string). AKA the value of
The actual JSON payload within the request body
Compute an HMAC with a
SHA256 hash function. Use the endpoint's signing secret token as the key (which you added in the Options step in the Campaign Editor), and use the signed payload string from Step 2 as the message.
Compare the GrowSurf provided signature within the header to the expected signature. If they match then compute the difference between a current timestamp and the received timestamp
ts. Then decide if the difference is within your tolerance.