Webhooks are an easy way to get instantly notified about events in the pinch system. Once an event occurs, a web request is posted to the URI set when creating the initial webhook.
For development using a website such as https://webhook.site/ you can setup some test webhooks to receive requests from pinch.
By default, all webhooks originating from pinch are sent to an unauthenticated endpoint. What this means is that anyone, not just pinch, will be able to send requests to your application. So you need to ensure each and every request is valid.
If using the .NET SDK you can call the
VerifyWebhook() method from the resulting hook. See the code in WebhookClient.cs for how to implement this.
To validate requests, retrieve the the
pinch-signature from the header returned from the webhook request. It will look something like this -
The t= component is the timestamp of when the request was sent
The v2= component is a string of
timestamp.messageencrypted using the webhook secret key returned from the initial webhook creation.
It's up to you how you would like to verify, but the implementation used in the .NET SDK is -
Verifies the timestamp (both t= and the v2=payload) timestamps are within a time tolerance
Verifies the signature was encrypted using the webhook's secret key.
Updated 3 months ago