Documentation
  1. Webhooks
  • API
    • Getting Started
      • Overview
    • API Reference
      • Logs
        • Get filtered Events logs
      • Accesses
        • Create new QR Access
      • Users
        • Create new Property Manager
        • Update existing Property Manager
    • External Visits
      • External NFC Visit
  • Webhooks
    • Getting started with webhooks
    • Security & Signature Verification
  1. Webhooks

Security & Signature Verification

All webhook requests include a buzzin-signature header containing an HMAC SHA-256 signature and a buzzin-signature-timestamp header containing the timestamp used in signature generation. You must verify this signature to ensure the request is authentic.

Signature Generation#

The signature is generated using:
Algorithm: HMAC SHA-256
Secret: Your webhook secret key
Payload: The raw JSON body of the request
Timestamp: Unix timestamp in milliseconds (included in buzzin-signature-timestamp header)
Signature Format: HMAC-SHA256(secret, timestamp + "-" + payload)
The signature is computed by concatenating the timestamp and payload with a hyphen separator: ${timestamp}-${payload}

Verification Process#

1.
Extract the buzzin-signature and buzzin-signature-timestamp headers from the request
2.
Compute the HMAC SHA-256 signature of ${timestamp}-${payload} using your secret
3.
Compare the computed signature with the provided signature
4.
Optionally verify the timestamp is recent (within 5 minutes) to prevent replay attacks
5.
Reject the request if signatures don't match or timestamp is too old
Previous
Getting started with webhooks
Built with