old_Loopcrypto.xyz
  • Introduction
  • Supported networks and tokens
  • Loop + Frames
  • Learn
    • How Loop works
    • Core components
      • Collecting authorization
        • Enabling payment on multiple networks
        • Accepting ETH and MATIC
      • Sending payment requests
      • Checking a customer's balance & allowance
      • Receipts and reminders
      • Customer portal
    • Loop + your financial stack
      • Linking on-chain transactions with invoices in your ERP system
      • Connecting with accounting software
      • Crypto off-ramp
    • Case studies
  • Dashboard functionality
    • Subscriptions
      • Free trials, discounts and more
      • Auto-invoicing
      • Auto-cancelations
    • One-time payments
    • Scheduling outbound payments
      • Internal notes
    • Editing an upcoming payment
    • Payments for platforms
  • Integrations
    • Stripe + Loop
      • Getting setup
      • Stripe Connect setup
      • Subscriptions
        • Free trials
        • Upgrading a customer or editing a subscription's products
      • Invoicing
      • One-time payments
      • Coupon codes
      • Stripe Connect - Subscriptions
      • FAQs about Stripe integration
    • Chargebee + Loop
      • Getting setup
      • Subscriptions
      • One-time payments
      • Coupon codes
    • Quickbooks + Loop
      • Invoicing
    • Xero + Loop
      • Invoicing
    • Ghost.org + Loop
    • Zapier + Loop
    • Manually add integrations
  • Technical Docs
    • APIs
      • Entity
        • Adding child entities
        • Adding user to child entity
        • Get child entities
      • Items
        • Adding items
          • Item types
          • Categories
        • Retrieving an item
        • Updating an item
        • Deactivating an item
      • Agreements
      • Transfer requests
        • Signing transfer requests
        • Loop CLI
        • Canceling transfer requests
        • Transfer request status
        • Handling unfulfilled transfer requests
        • Validations
      • Webhooks
        • Checking webhook signatures
        • Demo App
        • Slack, Airtable, Discord, Telegram
    • Archeticture
      • Smart contract
        • Deploying your smart contract
          • Modifying smart contract properties
      • Collecting authorization
        • Checkout page
          • Additional functionality
          • Add "pay with crypto" button
        • Checkout widget
          • NPM package readme
        • Checkout parameter examples
      • Providing on-chain payment based access
        • Subscription gated communities
    • Loop SDK
      • Verify Webhook
      • Transfers
      • Error Handling
      • Generating API keys
    • Sample guide: Collect a subscription or one-time payment
    • Integrating the Loop Protocol into your dApp
      • Payroll applications
      • Loan platforms (credit cards, BNPL)
    • Security
      • API Authentication
      • Securing with signatures
      • API Trust assumptions
      • Audits
  • FAQs
  • Company Dashboard
  • Loop Portal
Powered by GitBook
On this page
  1. Technical Docs
  2. APIs
  3. Webhooks

Checking webhook signatures

PreviousWebhooksNextDemo App

Last updated 1 year ago

Verifying signatures

Every Loop webhook request will include a loop-signature header which contains a signature that you can verify to make sure the request came from Loop.

The signature is encoded using your webhook shared private key. Please verify this signature before acting on the request in your system.

Using Loop's SDK to verify signatures (recommended)

The easiest way to verify signatures is to use the verifyWebhook function in the Loop's SDK, which is documented here.

However, if you do not use the SDK or want to separately verify webhook signatures, the steps are described below.

Getting the secret key

Before you can verify signatures, you need to retrieve your endpoint’s secret from the Developer page on the Company Dashboard.

Loop generates a unique secret key for each environment for your entity. If you use the same endpoint for both demo and production API keys, note that the secret is different for each environment.

Verifying the signature

Loop generates signatures using a hash-based message authentication code (HMAC) with SHA-256. To manually verify the signature, compute an HMAC with the SHA256 hash function using the webhook response body (in string form) and the shared secret as input.

An example, written in node.js, is shown below for reference:

let CryptoJS = require("crypto-js");
const secret = "<MY_LOOP_WEBHOOK_SECRET>"
const data = "<WEBHOOK_RESPONSE_BODY>"

const signature = CryptoJS.HmacSHA256(JSON.stringify(data), secret).toString(CryptoJS.enc.Base64);

// 'signature' should match 'loop-signature' header in the webhook response

If the HMAC with the SHA256 hash function of the message's body matches the signature, you have successfully verified the signature!