Webhook events sent from our platform will include the following headers:

x-w2-timestamptimestamp of the webhook event in standard Unix time format e.g. 1583932184
x-w2-signaturehash-based message authentication code (HMAC) with SHA-256

Verifying signatures manually

Step 1: Extract the timestamp and signature from the headers

The timestamp and signature will always be in the x-w2-timesamp and x-w2-signature headers respectively.

Step 2: Prepare signed_payload string

Concatenate the following to form the signed_payload:

The timestamp - as a string
The character .
The JSON payload body

Step 3: Determine the expected signature

Compute an HMAC with SHA-256 hash function. Use your w2-provided-api-key(all lower case and not base64 encoded) as the key and the signed_payload as the message.

Step 4: Compare the signatures

Compare the signature in the x-w2-signature header to the expected signature.

Docs not making sense? Please contact us so we can fix them: [email protected] :)