To make calls to your webhook, updatedge uses HMAC authorisation. This ensures that any calls to your publicly exposed endpoints originate from updatedge and not a malicious actor.
Two elements are required:
A Timestamp header with the UTC time of when the request is made.An Authorization header which should be a SHA256 hash of the timestamp and the shared secret appended together.
Your webhook implementation should ensure that the Timestamp is within a valid period (perhaps 5 minutes) to prevent replay attacks if the request is intercepted.
If the Timestamp is within the accepted period, the API should then generate a SHA256 hash of the timestamp using the shared secret. If the digest matches the value in the header then the request is to be considered authorised.
To configure updatedge to make calls to your webhooks, you need to specify your API Base URL on the portal using the administrator account for your company. Go to your profile page and find the company section to set the following properties.
|The base URL which shall prefix all subsequent API calls. |
|A secret shared between updatedge and your system. |
A request to
will pass the following headers:
Example Validation (C#)
var timestamp = Request.Headers["Timestamp"]var authorisation = Request.Headers["Authorization"];if (string.IsNullOrEmpty(timestamp) ||string.IsNullOrEmpty(authorisation))return false;if (!DateTime.TryParse(timestamp, out DateTime value) ||value < DateTime.UtcNow.AddMinutes(-5))return false;// Timestamp not within accepted period - prevent replay attacksvar incomingDigest = authorisation.Split(" ");var calculatedDigest = GenerateSha256Hash(timestamp, SHARED_SECRET);return calculatedDigest = incomingDigest;
An example of an ActionFilterAttribute to decorate endpoints is also available.