1. IP Whitelisting
  2. Signature validation

​

With this method, you only allow certain IP addresses to access your webhook URL while blocking out others. Dojah will only send webhooks from these IP addresses:
  1. 20.112.64.208

​

Events sent from Dojah carry the x-dojah-signature header. The value of this header is a HMAC SHA256 signature of the event payload signed using your secret key. Verifying the header signature should be done before processing the event:
Javascript
var crypto = require('crypto');
var secret = process.env.SECRET_KEY;

// Using Express
app.post("/webhookurl", function(req, res) {
    //validate event
    const hash = crypto.createHmac('sha256', secret).update(JSON.stringify(req.body)).digest('hex');

    if (hash == req.headers['x-dojah-signature']) {
    // Retrieve the request's body
    const event = req.body;
    // Do something with event  
    }
    res.send(200);
});