Webhooks are an easy way to get instantly notified about events in the pinch system. Once an event occurs, a web request is posted to the URI set when creating the initial webhook.

For development using a website such as https://webhook.site/ you can setup some test webhooks to receive requests from pinch.

Authenticating webhooks

By default, all webhooks originating from pinch are sent to an unauthenticated endpoint. What this means is that anyone, not just pinch, will be able to send requests to your application. So you need to ensure each and every request is valid.

If using the .NET SDK you can call the VerifyWebhook() method from the resulting hook. See the code in WebhookClient.cs for how to implement this.

To validate requests, retrieve the the pinch-signature from the header returned from the webhook request. It will look something like this - t=1619577772,v2=e5db053264a6657a563bf7a9e1ec18bb914b816663ea0e2f8deca9edc876a4g

The t= component is the timestamp of when the request was sent
The v2= component is a string of timestamp.message encrypted using the webhook secret key returned from the initial webhook creation.

It's up to you how you would like to verify, but the implementation used in the .NET SDK is -

Verifies the timestamp (both t= and the v2=payload) timestamps are within a time tolerance
Verifies the signature was encrypted using the webhook's secret key.