Skip to main content
Infinite Creator webhooks are sent with a signature the destination server can use to verify that the event came from Infinite Creator and not a third party or malicious system. It is strongly recommended that webhook consumers verify these signatures before processing each webhook event.

Verify Message Signature

To protect your app against man-in-the-middle and replay attacks, you should verify the signature of messages sent to your application. The signature is included as an InfiniteCreator-Signature header: InfiniteCreator-Signature: t=1633174587,s=18494715036ac4416a1d0a673871a2edbcfc94d94bd88ccd2c5ec9b3425afe66 A replay attack is when an attacker intercepts a valid payload and its signature, then re-transmits them. To mitigate such attacks, we include a timestamp in the InfiniteCreator-Signature header. Because this timestamp is part of the signed payload, it’s also verified by the signature, so an attacker can’t change the timestamp without invalidating the signature. If the signature is valid but the timestamp is too old, you can have your application reject the payload. Infinite Creator generates the timestamp and signature each time we send an event to your endpoint. If Infinite Creator retries an event (for example, your endpoint previously replied with a non-2xx status code), then we generate a new signature and timestamp for the new delivery attempt.

Guide

1

Obtain the timestamp and signature from the header

Split the header, using the , character as the separator, to get a list of elements. Next, split each element, using the = character as the separator, to get a prefix and value pair.The value for the prefix t corresponds to the timestamp, and s corresponds to the signature.
2

Calculate your own signature

Create signed_payload by concatenating:
  • The timestamp t as a string
  • The character .
  • The actual JSON payload (request body)
An HMAC with the SHA256 hash function is computed with your as the key and your signed_payload string as the message.
3

Compare the signatures

Compare the signature in the header to the signature you generated. In the case they are equal, compute the difference between the current timestamp and the received timestamp in the header. Use this to decide whether the difference is tolerable.Use Network Time Protocol (NTP) to make sure that your server’s clock is accurate. To protect against timing attacks, use a constant-time string comparison function.

Examples

import hashlib
import hmac

def verify_signature(t: str, s: str, request_body: str, secret: str) -> bool:
    signed_payload = t + '.' + request_body
    signature = hmac.new(key=secret.encode(), msg=signed_payload.encode(), digestmod=hashlib.sha256).hexdigest()
    return hmac.compare_digest(signature, s)