You can effortlessly verify webhooks received from the MyCover.ai platform by following these steps:

Signature Inclusion: Every sent webhook includes a signature in the headers. This signature is the encrypted webhook data using the merchant's (i.e Distributor) private secret API key.

Validation on Merchant's End: Merchants can follow the same encryption steps using their secret API key. Then, they can compare the created signature with the one they received. If the signatures are the same, it's safe to go ahead and use the webhook information. However, if the signatures don't match, they should ignore the webhook and not use the information it carries.

const crypto = require("crypto");

const secretKey = 'MCASECK|49939d32-f649-4de4-ab35-51060ca292f9';

const signature = crypto
  .createHmac("sha512", secretKey)
  .update(JSON.stringify(req.body))
  .digest("hex");

if (req.headers['x-mycoverai-signature'] === signature) {
      const event = req.body;
      // Do something with event - that will not take long
      
      // Return Ok
      res.send(200);
}

import json
import hashlib
import hmac

secret_key = 'MCASECK|49939d32-f649-4de4-ab35-51060ca292f9'

json_payload = json.dumps(req_body, separators=(',', ':'))

secret_key_bytes = secret_key.encode()

hmac_obj = hmac.new(secret_key_bytes, digestmod=hashlib.sha512)

hmac_obj.update(json_payload.encode())

signature = hmac_obj.hexdigest()

if req.headers.get('x-mycoverai-signature') == signature:
    print('Do something with req_body')
    # Return Ok