Each event payload is a JSON object with properties event and data objects. The event object holds the event, and the data property holds a representation of the resource at the time the event was issued.
Each webhook HTTP request includes a X-Rootly-Signature header, used to verify the request came from Rootly. The signature header contains a timestamp prefixed with t= and a signature prefixed with v= .
To verify the request, concatenate the timestamp with the request body and generate a SHA256 HMAC digest using the webhook secret available in the webhook configuration. The HMAC digest should match the provided signature.
Ruby
Copy
Ask AI
require 'openssl'# Assuming 'request' is an object representing the incoming HTTP requestheader = request.headers['X-Rootly-Signature']parts = header.split(',')timestamp = parts[0].split('t=').lastsignature = parts[1].split('v1=').lastsecret = 'webhook secret'# Reading the request bodyrequest_body = request.body# Create a signature using HMAC SHA256expected_signature = OpenSSL::HMAC.hexdigest('SHA256', secret, timestamp + request_body)# Compare the computed signature with the received signatureis_valid = expected_signature == signature
Python
Copy
Ask AI
import hmacimport hashlibheader = request.headers['X-Rootly-Signature']parts = header.split(',')timestamp = parts[0].split('t=')[1]signature = parts[1].split('v1=')[1]secret = "webhook secret"# Reading the request bodyrequest_body = request.data # or request.body depending on the framework# Create a signature using HMAC SHA256expected_signature = hmac.new( key=secret.encode(), msg=(timestamp + request_body).encode(), digestmod=hashlib.sha256).hexdigest()# Compare the computed signature with the received signatureis_valid = expected_signature == signature
JS
Copy
Ask AI
const crypto = require('crypto');// Assuming 'request' is an object representing the incoming requestconst header = request.headers['x-rootly-signature'];const parts = header.split(',');const timestamp = parts[0].split('t=')[1];const signature = parts[1].split('v1=')[1];const secret = "webhook secret";// Reading the request body// Ensure that the request body is raw or a stringconst request_body = request.body; // Create a HMAC SHA256 signatureconst expectedSignature = crypto.createHmac('sha256', secret) .update(timestamp + request_body) .digest('hex');// Compare the computed signature with the received signatureconst isValid = expectedSignature === signature;