Twenty•5d ago

Are webhook secrets actually used? How?

How should the secret defined in a webhoook setup get submitted with the webhook request? I set up a webhook for test purposes and defined a secret. The service listening to the requests is logging these details: request headers, request body, query string parameters. I can't find the secret anywhere.

3 Replies

thomast•4d ago

@martmull

martmull•4d ago

Hey @Marian thank you for reaching us. Secret is not provided in the webhook data directly. We generate a signature (hashing webhook data, secret and timestamp) that we add to headers in X-Twenty-Webhook-Signature key. So to get an check your secret, you need to create the expected signature and compare it to the X-Twenty-Webhook-Signature header value. FYI here is the code that generates the signature -> https://github.com/twentyhq/twenty/blob/b5e6600c73492b7397b242b9b170f9d19107ef78/packages/twenty-server/src/modules/webhook/jobs/call-webhook.job.ts#L32

  import crypto from 'crypto';

  private generateSignature(
    payload: CallWebhookJobData,
    secret: string,
    timestamp: string,
  ): string {
    return crypto
      .createHmac('sha256', secret)
      .update(`${timestamp}:${JSON.stringify(payload)}`)
      .digest('hex');
  }

  import crypto from 'crypto';

  private generateSignature(
    payload: CallWebhookJobData,
    secret: string,
    timestamp: string,
  ): string {
    return crypto
      .createHmac('sha256', secret)
      .update(`${timestamp}:${JSON.stringify(payload)}`)
      .digest('hex');
  }

Hope it helps.

martmull•4d ago

@Thomas do we have a documentation about secret usage? Looks like description in webhook form is not enough

Gaming

Programming

Are webhook secrets actually used? How?

Did you find this page helpful?