Search
K
Guides

Webhooks Signing - Legacy

Important

This method of signing webhooks is used with versions 1.0 and 1.1 and is now considered legacy. Please contact support@perryweather.com if you would like to update your existing webhooks to v1.2.

Webhook Validation

If your webhook exposes sensitive parts of your platform you might want to verify requests are coming from Perry Weather and not a malicious third party. Perry Weather cryptographically signs requests sent to you using HMAC-SHA256.

Here are the general steps we take to sign the request:

  1. Perry Weather appends the event_id, event_type, and version fields in the body of the request to the end of the webhook URL.
string url = "https://webhook.yourdomain.com";
string eventId = "6544e1ce-7eea-4353-b404-f2ca21a93a68";
string eventType = "DELAY";
string version = "1.0.0";
Dictionary<string, string> data = new Dictionary<string, string>
{
    { "event_id", eventId },
    { "event_type", eventType },
    { "version", version }
};
foreach (var item in data)
{
    url += $"{item.Key}={item.Value}";
}
//url = "https://webhook.yourdomain.comevent_id=6544e1ce-7eea-4353-b404-f2ca21a93a68event_type=DELAYversion=1.0.0"

2. Perry Weather takes the resulting string and signs it using HMAC-SHA256 with your API Key as the key. Contact support@perryweather.com for questions regarding your Perry Weather API Key.

string url = "https://webhook.yourdomain.comevent_id=6544e1ce-7eea-4353-b404-f2ca21a93a68event_type=DELAYversion=1.0.0";
string yourApiKey = "fakeApiKey";
HMACSHA1 hmac = new(Encoding.UTF8.GetBytes(yourApiKey));
byte[] hashValue = hmac.ComputeHash(Encoding.UTF8.GetBytes(url));
string signature = Convert.ToBase64String(hashValue);

3. The signature is then attached to the request as a header named x-pw-signature.

string json = JsonSerializer.Serialize(payload);
StringContent content = new StringContent(json, Encoding.UTF8, "application/json");
string signature = "fake-signature";
content.Headers.Add("x-pw-signature", signature);

Validating requests in your application

In order to verify a request was sent from Perry Weather your application will need to replicate the example steps above with your API Key to generate a signature.

Requests with a signature matching the signature generated in your application can be processed as authentic Perry Weather events while requests with a wrong or missing signature should be discarded.