Skip to main content

Security

Webhook requests are signed using a shared secret. You can find this in the webooks dashboard. The resulting signature with signing timestamp is sent with the request in Tickettailor-Webhook-Signature header. We recommend to verify that the request is sent from Ticket Tailor. To do this, you must generate a HMAC-SHA256 signature of the request payload combined with the timestamp, compare it with the sent signature from Ticket Tailor, and verify they match.

We also recommend to invalidate webhooks received where the sent timestamp is older than 5 minutes.

See the code examples of how to verify webhook request.lients idempotent in case webhooks are sent more than once. You can track ids of already processed requests to not execute tasks more than once.

$sharedSecret = 'ABCD123';
$body = file_get_contents('php://input');
$headerParts = explode(',', $_SERVER['HTTP_TICKETTAILOR_WEBHOOK_SIGNATURE']);
$timestamp = explode('=', $headerParts[0])[1];
$signature = explode('=', $headerParts[1])[1];

$hash = hash_hmac('sha256', $timestamp . $body, $sharedSecret);
if (! hash_equals($hash, $signature)) {
throw new \Exception('Invalid signature');
}

$tolerance = 60 * 5; // 5 minutes
if ((time() - $timestamp) > $tolerance) {
throw new \Exception('Webhook is out of date');
}