Webhook Authentication

Webhook Authentication

Onfleet uses HMAC (hash-based message authentication code) with the SHA-512 hash function for additional authentication. By using the webhook secret obtained on the Onfleet dashboard, your webhook server should verify that the source of webhook requests are indeed coming from Onfleet and is associated with your organization.

Each webhook request contains a signature from Onfleet in X-Onfleet-Signature header. To authenticate the webhook request received on your webhook server, you will need to validate against this header.

To validate against X-Onfleet-Signature, you will need to compare its value with an HMAC you have generated using the hexadecimal format of your webhook secrets and the full body of the webhook POST request in raw bytes. We have provided some coding examples in Python, JavaScript and PHP.

import hashlib, hmac, binascii

hash = hmac.new(binascii.a2b_hex(secret), body.encode('utf-8'), 'sha512').hexdigest()

# Compare hash with the received X-Onfleet-Signature in raw bytes
const crypto = require('crypto')
const secret_in_hex = Buffer.from(secret, 'hex');

const hash = crypto.createHmac('sha512', secret_in_hex)
  .update(body)
  .digest('hex')

// Compare hash with the received X-Onfleet-Signature in raw bytes
<?php
  
$hash = hash_hmac('sha512', $body, hex2bin($secret));

// Compare $hash with the received X-Onfleet-Signature in raw bytes
?>