To validate the signature, you need to use the X-Signature header and the request body.

1

Concatenate the following strings:

  • Value of the X-Timestamp header
  • eventId from the body of the request
  • All fields of the request body

For example: 1730482675607b17c862a961fbba3a02af42a7de6e643{"eventId": "b17c862a961fbba3a02af42a7de6e643", "event": "deposit-created", "subscriptionId": "61fbba3a02af4", "payload": {"baseCurrency": "BTC"}}

2

Generate the expected signature

The Platform uses 2 types of signatures depending on your choice when creating a subscription:

HMAC-SHA256 ValidationECDSA Validation
1. Sign the concatenated string with your API Secret using the HMAC SHA256 method.
2. Encode the generated signature in hexadecimal format.		1. Compute the SHA-256 hash of the concatenated string.
2. Use the ECDSA Public Key to verify the signature.
3. Encode the generated signature in hexadecimal format.
3

Compare the generated signature with the X-Signature header

4

Validate IP Address

You can additionally validate the IP address of the request to ensure that the request is coming from the expected source.

The Copper Platform sends webhooks from the following IP addresses: 63.33.117.167, 99.80.177.29, 52.215.155.205.

Please be aware that these addresses are only used for the Production environment and can change in the future.