Developer portal

Webhook Authentication

Your app must verify the authenticity of a received webhook as outlined on this page.

Webhook Secret

You will receive a webhook secret key from us when your webhook endpoint is set up, store this value somewhere safe.

Webhook secret keys are unique for each set up webhook.

Signature

With every webhook sent, you will receive X-LTD-Webhook-Signature header, which will contain a computed signature.

To verify the authenticity of a webhook, you need to compute the signature on your side and compare it with the received signature.

Computing the signature

To compute the signature, you will need your partner ID, webhook secret and a CRC checksum of the body content.
Encode these 3 values (separated by a colon) to a Base64 string, like so:
[affiliateId]:[webhookSecret]:[crc32]
where the fields are:
Field Description
[affiliateId] Your partner ID.
[webhookSecret] The webhook secret key given to you when the webhook was set up.
[crc32] Cyclic Redundancy Check (Crc32) checksum of the body content.

The result must match the value received in X-LTD-Webhook-Signature header.

Example

For this example, let's assume we have the following values:
Field Value
Partner (Affiliate) ID 3fe4e9b5-99b9-46cf-b5e7-e7c94bd19088
Webhook Secret Key F6FkZsYFvfM8/DFcEOwmLg==
and the data received from the webhook are:
Field Value
X-LTD-Webhook-Signature M2ZlNGU5YjUtOTliOS00NmNmLWI1ZTctZTdjOTRiZDE5MDg4OkY2Rmtac1lGdmZNOC9ERmNFT3dtTGc9PTo0MDcwNzIwMTQ4
Body content {"SomeValue":"Example","SomeObject":{"SomeValue2":"Example"}}

First, calculate the Cycling Redundancy Check (Crc32) checksum of the body content, which in case of this example is 4070720148.

Then encode the required values in the format specified above to a Base64 string.

Input: 3fe4e9b5-99b9-46cf-b5e7-e7c94bd19088:F6FkZsYFvfM8/DFcEOwmLg==:4070720148
Output: M2ZlNGU5YjUtOTliOS00NmNmLWI1ZTctZTdjOTRiZDE5MDg4OkY2Rmtac1lGdmZNOC9ERmNFT3dtTGc9PTo0MDcwNzIwMTQ4

In the end, our computed value and the value received in the header match, therefore the request is authentic.