Webhook Signature

To ensure the security and integrity of the webhooks you receive, every notification sent from our system includes a unique cryptographic signature. Verifying this signature is a critical step in your integration, as it allows you to:

• Authenticate the Sender: Confirm that the webhook payload was genuinely sent by BCB and not by an unauthorized third party.
• Validate the Integrity: Ensure that the data contained within the webhook has not been tampered with during transit.

Your receiving endpoint should follow these steps to verify the signature:

1. Retrieve the Signature: Extract the signature value from the X-BCB-Signature header of the incoming request.
2. Generate Your Own Signature: Using the exact same raw payload data from the webhook body and your secret key, compute a new hash using the same cryptographic algorithm (e.g., HMAC-SHA256).
3. Compare Signatures: Compare the signature you computed with the one received in the header.

If the two signatures match, you can be confident that the webhook is authentic and its data is trustworthy. If they do not match, the request should be treated as suspicious and rejected.

Failure to verify the signature can expose your systems to security vulnerabilities and potentially malicious data. We highly recommend implementing this verification as a standard security practice.

"headers":{
    "Content-Type": "application/json",
    "X-BCB-SIGNATURE": "<BCB-SIGNATURE>"
}

/