Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.govly.com/llms.txt

Use this file to discover all available pages before exploring further.

Webhook Security

Webhook requests sent from Govly are signed with your Webhook Signature Key which can be found on the API integration dashboard.

Signature Verification

Each request will include the Govly-Webhook-Signature header which is a SHA2 hex digest of the webhook checksum, signed with your secret key. To verify the signature, you can join your secret key and the webhook checksum on a period. Then, compare the result to Govly-Webhook-Signature to confirm the request is from Govly.

Example Implementation

Here’s an example of how you might verify a Govly webhook’s authenticity in Ruby: 
webhook_signature = webhook_request.headers["Govly-Webhook-Signature"]
webhook_checksum = webhook_request.headers["Govly-Webhook-Event-Checksum"]
webhook_signature_key = ENV["GOVLY_WEBHOOK_SIGNATURE_KEY"]

valid_signature = Digest::SHA2.hexdigest("#{webhook_signature_key}.#{webhook_checksum}")
valid = webhook_signature == valid_signature

Alternative Authentication

Alternatively, you can use the custom headers option described in the Header section of the webhook documentation when creating a webhook to include a private credential of your choice to authenticate the request.