Validating Webhook Requests

When Vetrol sends a webhook to your application, it includes a signature in the X-Vetrol-Signature header. Always verify this signature to confirm the request is from Vetrol.

How it works

Vetrol computes an HMAC-SHA256 signature using your Auth Token and the full URL of your webhook endpoint (including the request body for POST requests).

Verification example

middleware/vetrol-webhook.js
const crypto = require('crypto');

function validateVetrolSignature(req, res, next) {
  const signature = req.headers['x-vetrol-signature'];
  const authToken = process.env.VETROL_AUTH_TOKEN;
  const url = `https://${req.headers.host}${req.originalUrl}`;

  const body = JSON.stringify(req.body);
  const expected = crypto
    .createHmac('sha256', authToken)
    .update(url + body)
    .digest('hex');

  if (signature !== `sha256=${expected}`) {
    return res.status(403).json({ error: 'Invalid signature' });
  }

  next();
}

module.exports = validateVetrolSignature;

Use the middleware in your webhook route:

app.post('/webhooks/messages', validateVetrolSignature, (req, res) => {
  // Handle the webhook
  res.sendStatus(200);
});

How it works​

Verification example​

How it works

Verification example