Overview
Trulioo uses HMAC (Hash-based Message Authentication Code) to authenticate webhook events, ensuring that they are genuinely sent from Trulioo. Each event sent to you includes an HMAC signature in the x-trulioo-signature header. This HMAC signature is generated using a secret key shared by Trulioo's team. You'll use the signature to confirm the authenticity of the event.
How to Set Up HMAC Authentication
As described above, the HMAC secret can be obtained by contacting your Trulioo team at [email protected]. We'll refer to this secret as secretValue below.
1. Compute the HMAC Signature
Compute the SHA256 HMAC using the event payload and the retrieved secretValue for each webhook event sent to you. We'll call this the computedTruliooSignature.
Make sure the event payload is exactly as Trulioo sent it and hasn't been modified or beautified for readability.
2. Customer Validation of HMAC Signature
Compare the computedTruliooSignature with the value in the x-trulioo-signature header. Accept the webhook event if they match, and reject it if they don't.