Each application has a unique webhook secret that is used to sign the JSON body of webhook requests. It can be viewed and regenerated in the Impala Management Console. As the secret value is per-application, you can use it to verify that a webhook request came from Impala and that it relates to your application.
The signature can be found in the
X-Impala-Signature header and is a SHA256 HMAC that's hex encoded. Here is a breakdown on how you can verify the authenticity:
- Retrieves the data from the database.
- Constructs the payload.
- Fetches the secret key.
- Combines the payload and the secret key to generate a verification hash.
- Sends the payload and verification hash to the client.
- Receive the webhook.
- Combine the payload (without the verification hash) and the secret key to generate a verification hash.
- Compare the hash received from Impala with the one the client has created.
- If the hashes match, then the payload can be trusted.
Please check out our Node.js example of how to check the authenticity of a received Webhook notification.