HMAC Validation


When you subscribe to WebHooks from ShoppinPal we recommend you validate the integrity of the requests.

  • ShoppinPal will share an environment specific(staging, production, etc) key.
  • While doing the event request delivery, the request will contain a x-shoppinpal-hmac-sha256 header. This will be very specific to each request.
  • Partners can compare the HMAC digest(base64) to validate the integrity of the request in order to use the data posted to the API.
WebHook Request HeaderValue
x-webhook-request-idUnique UUID for a unique request.
x-shoppinpal-hmac-sha256Use this to validate the integrity of a request.

Below is an example on how would you validate a request depending on the x-shoppinpal-hmac-sha256 header in NodeJS using crypto.

const crypto = require('crypto');
const hmac = crypto.createHmac('sha256', secret).update(JSON.stringify(request.body)).digest('base64');