Verifying requests

To ensure that the requests you're getting at your webhook endpoint are actually coming from Mailabl, Mailabl populates a X-Mailabl-Signature header with a SHA-256 hash of the concatenation of the app-secret for your application and the body of the webhook request.

Before you can verify signatures, you need to retrieve your endpoint's secret from you Webhook settings under Settings > Integrations > Webhooks page. Select an endpoint that you want to obtain the secret for, then click the "Show" button.

Mailabl generates a unique secret key for each endpoint. If you use multiple endpoints, you must obtain a secret for each one you want to verify signatures on.

Verifying signatures

To verify this signature, concatenate the secret of your webhook and the un-parsed request body of the request you're handling, and get a SHA-256 hash of the result. Compare the resulting hash with the value of the X-Mailabl-Signature. If these values match, then this verifies that this request came from Mailabl. Or, the request came from someone else who knows your application secret. It's important to keep this value secret.

If these values do not match, then this request may have been tampered with in-transit or someone may be spoofing webhook notifications to your endpoint.

Here's a quick example written in PHP:

$secret = 'xxxxxxxxxx';
$jsonPayload = json_encode($payload);
$signature = hash_hmac('sha256', $jsonPayload, $secret);

Verifying signatures​

Verifying signatures