Webhooks
Validate signature
To validate the signature, you need to use the
X-Signature header and the request body.
1
Concatenate the following strings:
- Value of the
X-Timestampheader eventIdfrom the body of the request- All fields of the request body
1730482675607b17c862a961fbba3a02af42a7de6e643{"eventId": "b17c862a961fbba3a02af42a7de6e643", "event": "deposit-created", "subscriptionId": "61fbba3a02af4", "payload": {"baseCurrency": "BTC"}}2
Generate the expected signature
The Platform uses 2 types of signatures depending on your choice when creating a subscription:
| HMAC-SHA256 Validation | ECDSA Validation |
|---|---|
| 1. Sign the concatenated string with your API Secret using the HMAC SHA256 method. 2. Encode the generated signature in hexadecimal format. | 1. Compute the SHA-256 hash of the concatenated string. 2. Use the ECDSA Public Key to verify the signature. 3. Encode the generated signature in hexadecimal format. |
3
Compare the generated signature with the X-Signature header
4
Validate IP Address
You can additionally validate the IP address of the request to ensure that the request is coming from the expected source.The Copper Platform sends webhooks from the following IP addresses:
63.33.117.167, 99.80.177.29, 52.215.155.205.Please be aware that these addresses are only used for the Production environment and can change in the future.