The Zero Hash Webhook uses request headers to ensure security on message transport. RSA security method is Zero Hash’s recommended form of webhook security as it does not require passing secret keys back and forth. We also support token method signing of payload, you may provide a secret token to us during configuration. If you’ve done so, we will include the x-zh-hook-signature-256 header with the webhook.
| Name | Description |
|---|---|
| x-zh-hook-notification-id | Notification ID, can be used for idempotency checks |
| x-zh-hook-payload-type | Payload type string. The following values are available: participant_status_changed participant_updated payment_status_changed deposit_fund_complete external_account_status_changed unspecified |
Depending on your security configuration, additional headers may also be included:
| Name | Description |
|---|---|
| x-zh-hook-signature-256 | to_hex(hmac(sha_256(payload), your-secret)) |
| x-zh-hook-rsa-signature-256 | to_hex(rsa(sha_256(payload), zh-sec-key)) |
Zero Hash’s webhook requests will originate from the following IP addresses, should you need an allow-list:
18.189.25.175/323.18.218.32/323.22.145.85/32
Integration Tips
- If using the RSA security method, when creating a sha256 hash of the webhook body & payload, ensure the hash is decoded to binary to validate the webhook signature
- Be sure to also decode the the RSA signature found in the header of the webhook back to binary prior to webhook validation (see recipes below for examples)
Sample Webhook Signatures
🤝
Webhook Signatures
Open Recipe