Questions regarding webhook validation

Hi! Currently testing in sandbox before moving our code to use the production keys, I am integrating the webhook functionality.

I am using node + typescript.

I am a bit confused however, when the encrypted secret is received, in the webhook
req.headers['x-request-signature-sha-256']

Am I supposed to decrypt this, or am I supposed to encrypt my secret and compare it to the one sent by dwolla?

This is the snippet I am working with according to the documentation:

  app.post('/dwolla-webhook', (req, res) => {
    const secret = 'your webhook secret';
    const signature = req.headers['x-request-signature-sha-256'];

    const verifyGatewaySignature = (proposedSignature: string, webhookSecret: string, payloadBody) => {
      const hash = crypto.createHmac('sha256', webhookSecret).update(payloadBody).digest('hex');

      return crypto.timingSafeEqual(bufferFrom(proposedSignature), bufferFrom(hash));
    };

    res.status(201).send('received');
  });

In this context, is proposed signature the one received from dwolla and is webhook secret, the secret I provided? What about payload body?

Hi @Engineering_Archie , This sample app may be a good point of reference for how to perform the validation of the webhook signature.

Dwolla signs each webhook request with the secret you passed in when you created the webhook subscription. The signature is contained in the x-request-signature-sha-256 header and is a SHA256 HMAC hash of the request body with the key being your webhook secret.

You can validate the webhook by generating the same SHA256 HMAC hash and comparing it to the signature sent with the payload.

The proposed signature would be the value that’s contained in the x-request-signature-sha-256 header on the webhook request.

Thanks! Amazing resourceI was able to solve it.

@spencer Hi! For some reason I stopped getting request from the dwolla webhook, I had gotten working but then while testing my API stopped getting the subscriptions from the sandbox. Any guidance on this?

We can take a look in our webhook logs to see if we can find anything @Engineering_Archie. Do you have your subscription ID or your account ID? Thanks!

Sorry, figured it out! I had done a typo in the address of my hook. Thanks for your help

1 Like

@spencer Following question, should I setup a separate webhook subscription for money involved transfers and customer onboarding status for businesses? Or can one serve both?

Also, wondering is there list with the possible topic response I can grab from?

Hi @Engineering_Archie – Actually, a webhook subscription will serve all events that occur on your platform. You wouldn’t be able to subscribe to specific event topics.

Yes – here’s a comprehensive list of all possible events in Dwolla - Dwolla API docs

1 Like