Developer portal

Webhook Authentication

Your app must verify the authenticity of a received webhook as outlined on this page.

Webhook Secret

You will receive a webhook secret key from us when your webhook endpoint is set up, store this value somewhere safe.

Webhook secret keys are unique for each set up webhook.

Signature

With every webhook sent, you will receive LTD-Webhook-Signature header, which will contain a computed signature.

To verify the authenticity of a webhook, you need to compute the signature on your side and compare it with the received signature.


There is also an obsolete X-LTD-Webhook-Signature, which will be removed in the feature.

Computing the signature

To compute the signature, you will need your webhook secret and the body content you received.
Use these 2 values to create a HMACSHA256 hash encoded in Base64. Here is C# example: 
public static string GetHMAC(string text, string key)
{
    using var hmacsha256 = new HMACSHA256(Encoding.UTF8.GetBytes(key));
    var hash = hmacsha256.ComputeHash(Encoding.UTF8.GetBytes(text));
    return Convert.ToBase64String(hash);
}
where the parameters are:
Parameter Description
[key] The webhook secret key given to you when the webhook was set up.
[text] The body content of received webhook.

The result must match the value received in LTD-Webhook-Signature header.

Example

For this example, let's assume we have the following values:
Field Value
Webhook Secret Key F6FkZsYFvfM8/DFcEOwmLg==
and the data received from the webhook are:
Field Value
LTD-Webhook-Signature b3VVq3GVdtVjBi560WFW2Wf4lUd8wC00UMuaYfcF18U=
Body content {"SomeValue":"Example","SomeObject":{"SomeValue2":"Example"}}

Encode the required values (Body content and Webhook Secret Key) in the format HMAC (Hash-based Message Authentication Code)

In the end, our computed value and the value received in the header (LTD-Webhook-Signature) match, therefore the request is authentic.

[Obsolete] Computing the signature (header X-LTD-Webhook-Signature)

Following sections describe verification of the webhook request using an obsolete header X-LTD-Webhook-Signature that will be removed in the future.

To compute the signature, you will need your partner ID, webhook secret and a CRC checksum of the body content.
Encode these 3 values (separated by a colon) to a Base64 string, like so: 
[affiliateId]:[webhookSecret]:[crc32]
where the fields are:
Field Description
[affiliateId] Your partner ID.
[webhookSecret] The webhook secret key given to you when the webhook was set up.
[crc32] Cyclic Redundancy Check (Crc32) checksum of the body content.

The result must match the value received in X-LTD-Webhook-Signature header.

Example X-LTD-Webhook-Signature

For this example, let's assume we have the following values:
Field Value
Partner (Affiliate) ID 3fe4e9b5-99b9-46cf-b5e7-e7c94bd19088
Webhook Secret Key F6FkZsYFvfM8/DFcEOwmLg==
and the data received from the webhook are:
Field Value
X-LTD-Webhook-Signature M2ZlNGU5YjUtOTliOS00NmNmLWI1ZTctZTdjOTRiZDE5MDg4OkY2Rmtac1lGdmZNOC9ERmNFT3dtTGc9PTo0MDcwNzIwMTQ4
Body content {"SomeValue":"Example","SomeObject":{"SomeValue2":"Example"}}

First, calculate the Cycling Redundancy Check (Crc32) checksum of the body content, which in case of this example is 4070720148.

Then encode the required values in the format specified above to a Base64 string.

Input: 3fe4e9b5-99b9-46cf-b5e7-e7c94bd19088:F6FkZsYFvfM8/DFcEOwmLg==:4070720148
Output: M2ZlNGU5YjUtOTliOS00NmNmLWI1ZTctZTdjOTRiZDE5MDg4OkY2Rmtac1lGdmZNOC9ERmNFT3dtTGc9PTo0MDcwNzIwMTQ4

In the end, our computed value and the value received in the header match, therefore the request is authentic.