Webhooks Security
Zoho Sign offers you an option to secure your webhooks by using HMAC-SHA 256 (Hash-Based Message Authentication Codes with SHA 256), an industry standard hashing mechanism to ensure the authenticity and integrity of the webhook is intact. Securing a webhook with HMAC will help check:
- If the webhook request has been sent from Zoho Sign (The secret key must be known only to Zoho Sign and the receiving application).
- If the webhook content has been tampered with along the way (integrity).
How does webhook security work in Zoho Sign?
When a webhook is sent from Zoho Sign, a HMAC signature will be included in the request headers with the name X-ZS-WEBHOOK-SIGNATURE. Upon receiving the webhook request, the receiving application will generate a HMAC signature using the same secret key and compare the results with the value present in the request header. If the value matches, the data is legitimate; otherwise, the data has been tampered with.
Generating a HMAC signature
Zoho Sign calculates the signature of the webhook payload using the HMAC-SHA256 algorithm, and the result is sent in base64 format in the request header. Here is the explanation with sample data:
payload | {{"requests":{"request_name":"Test Name"},"notifications":{"operation_type":"RequestSigningSuccess"}} |
secret_key | thisisthesamplekeyfortestingpurposes |
base64encode(HMAC SHA-256(payload+secret_key)) | drbSrM4H816RYKpZiRBLddUa0yHaTrwjtY04sIZFZus= |
Here is an image of how this webhook request header (HMAC header) will look like:
Verifying HMAC signature in the receiving application
- You must read the payload as a string to avoid reordering keys when read in JSON format.
- Compute HMAC SHA-256 hash of the payload using the secret key and base64 encode the result.
- Compare the value obtained from step 2 and the received HMAC header (X-ZS-WEBHOOK-SIGNATURE) value. If there is a mismatch, reject the webhook request.
Sample java cope snippet to verify the HMAC signature
- private static String verifyHmacHash(String secretKey, String payload, String hmacHash) throws Exception
- {
- String macAlgoName = "HmacSHA256";
- byte[] secretKeyBytes = secretKey.getBytes(StandardCharsets.UTF_8);
- Mac mac = Mac.getInstance(macAlgoName);
- SecretKeySpec keySpec = new SecretKeySpec(secretKeyBytes, mac.getAlgorithm());
- mac.init(keySpec);
- byte[] macData = mac.doFinal(payload.getBytes(StandardCharsets.UTF_8));
- String calculatedHmac = java.util.Base64.getEncoder().encodeToString(macData);
- if(hmacHash.equals(calculatedHmac))
- {
- System.out.println("Hashes match, Webhook payload is valid!!");
- }
- else
- {
- System.out.println("Hashes doesn't match, Webhook payload is tampered!!");
- }
- return calculatedHmac;
- }
Zoho CRM Training Programs
Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.
Zoho DataPrep Personalized Demo
If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.
- Zoho Workerly Home
- Forums
- Connect With Us:
- Zoho Recruit Home
- Forums
- Connect With Us:
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.
New to Zoho Survey?
Zoho Sheet Resources
Zoho Forms Resources
New to Zoho Sign?
Zoho Sign Resources
Sign, Paperless!
New to Zoho TeamInbox?
Zoho TeamInbox Resources
New to Zoho ZeptoMail?
Zoho DataPrep Resources
Design. Discuss. Deliver.
New to Zoho Workerly?
New to Zoho Recruit?
New to Zoho CRM?
New to Zoho Projects?
New to Zoho Sprints?
New to Zoho Assist?
New to Bigin?
Related Articles
Webhooks
Webhook is one of the popular call back mechanisms popularly used by developers to integrate any two applications. It provides updates in real-time to the integrated application whenever an event or action occurs. This is a superior solution, unlike ...Security and Legal
Can I use Zoho Sign to collect sensitive personal data such as credit card information? We strongly discourage the use of Zoho Sign or its associated features to collect sensitive personal data such as credit card information, PIN, and social ...Recipient authentication via Dynamic Knowledge-Based Authentication (KBA)
Available only in US datacenter on all paid plans and requires Zoho Sign credits Knowledge-based authentication (KBA) is a type of authentication where signers are identified by asking them to answer specific security questions to ensure that the ...Recipient authentication
Set the authentication code delivery mode for the recipient to authenticate the signing process. Hover over Settings and click Account settings. Click Sending options and navigate to the Recipient authentication section. Enable the Enforce ...Webhooks best practices
As a technical user, you use webhooks to set up or integrate applications and get real-time updates whenever an event or action occurs. The admin of a Zoho Sign account can configure a webhook and choose the events that will trigger it. The callbacks ...
New to Zoho LandingPage?
Zoho LandingPage Resources