Skip to main content
Version: 1.7.1

Validation of Webhook Requests

Before you respond to a Webhook request, you must validate if the request was sent from TaxBandits.

Follow the below steps to verify the authenticity:

Step 1: Read the headers - Signature & TimeStamp to obtain their values.

Step 2: Concatenate User's ClientId + \n + TimeStamp from the header. Compute a hash (HMACSHA256 algorithm) of the above-concatenated string with the User's ClientSecret as the key

Step 3: Convert the computed hash into a base64 string.

Step 4: Compare this base64 string with the Signature from the header

  • If there is a match, parse the JSON data for further processing and should return 200.

  • If there is no match, send the Response as 401 and stop processing.

Sample Code:

const crypto = require('crypto');

const computeHash = (clientSecret, message) => {
const key = Buffer.from(clientSecret, 'utf8');

const hmac = crypto.createHmac('sha256', key);
const hash = hmac.update(message, 'utf8').digest('base64');

return hash;
}

const timeStamp = "<<Timestamp>>" // Timestamp from Webhook Headers
const clientId = "<<TaxBandits Client Id>>" // Taxbandits consite site - Client Id
const clientSecret = "<<TaxBandits Client Secret>>"; // Taxbandits consite site - Client Secret
const message = clientId + '\n' + timeStamp;

// Compare this Signature with the Webhook Header Signature
console.log("Signature: ", computeHash(clientSecret, message));