Verify Events

There are two ways to ensure events you receive are from Dojah.

  1. IP Whitelisting
  2. Signature validation

IP Whitelisting

With this method, you only allow certain IP addresses to access your webhook URL while blocking out others. Dojah will only send webhooks from these IP addresses:

  1. ,

Signature Validation

Events sent from Dojah carry the x-dojah-signature header. The value of this header is a HMAC SHA256 signature of the event payload signed using your secret key. Verifying the header signature should be done before processing the event:

var crypto = require('crypto');
var secret = process.env.SECRET_KEY;

// Using Express"/webhookurl", function(req, res) {
    //validate event
    const hash = crypto.createHmac('sha256', secret).update(JSON.stringify(req.body)).digest('hex');

    if (hash == req.headers['x-dojah-signature']) {
    // Retrieve the request's body
    const event = req.body;
    // Do something with event  

 if (strtoupper($_SERVER['REQUEST_METHOD']) == 'POST' && array_key_exists('x-dojah-signature', $_SERVER)) {
     //get the request body
     $input = @file_get_contents("php://input");

     define('DOJAH_SECRET_KEY', 'SECRET_KEY');
     //validate request
     if ($_SERVER['HTTP_X_DOJAH_SIGNATURE'] === hash_hmac('sha256', $input, DOJAH_SECRET_KEY)) {

         //parse event
         $event = json_decode($input);