Every notification sent by Bodyguard is transmitted using HTTPS ONLY. If you try to register a Webhook using HTTP, it will be denied.
The challenge is a way to ensure that you really are the owner of the webhook endpoint.
It is a randomly generated string sent in the Notification payload.
You MUST send it back in your response to the Notification request.
This parameter is used to make sure that the communication between Bodyguard and your endpoint is safe and secured.
Using this secret, an HMAC SHA256 hexadecimal digest hash of the Notification body is generated.
This hash is sent in the Notification request in the X-Hub-Signature header.
You CAN use X-Hub-Signature header to verify the notification payload integrity by comparing it with your own generated signature.
Here is the workflow to generate this signature on your side to validate the request you received from Bodyguard:
Create an HMAC SHA256 hex digest of the notification body using the Secret Encryption key you configured when registering your Webhook.
Get the X-Hub-Signature header value.
Compare the two hashes:
If they match, the integrity of the request is valid.
Otherwise, the notification request has been corrupted.
See Examples for more informations.