Webhook Security

Webhook requests sent from Govly are signed with your Webhook Signature Key which can be found on the API integration dashboard.

Signature Verification

Each request will include the Govly-Webhook-Signature header which is a SHA2 hex digest of the webhook checksum, signed with your secret key. To verify the signature, you can join your secret key and the webhook checksum on a period. Then, compare the result to Govly-Webhook-Signature to confirm the request is from Govly.

Example Implementation

Here’s an example of how you might verify a Govly webhook’s authenticity in Ruby:

webhook_signature = webhook_request.headers["Govly-Webhook-Signature"]
webhook_checksum = webhook_request.headers["Govly-Webhook-Event-Checksum"]
webhook_signature_key = ENV["GOVLY_WEBHOOK_SIGNATURE_KEY"]

valid_signature = Digest::SHA2.hexdigest("#{webhook_signature_key}.#{webhook_checksum}")
valid = webhook_signature == valid_signature

Alternative Authentication

Alternatively, you can use the custom headers option described in the Header section of the webhook documentation when creating a webhook to include a private credential of your choice to authenticate the request.

Getting Started

Enterprise

Webhook Security

Webhook Security

Signature Verification

Example Implementation

Alternative Authentication

Getting Started

Enterprise

​Webhook Security

​Signature Verification

​Example Implementation

​Alternative Authentication

Webhook Security

Signature Verification

Example Implementation

Alternative Authentication