Validate Outbound Webhooks and Web API

Protect your systems with authentication

Prerequisites:

  • You have exposed a public HTTPS endpoint to receive events
  • You have a valid API key

Overview

Your system should validate that the data received via webhooks and Web-API calls from bots and flows was sent by Glassix before responding to the request. Such validation is crucial for securing data and protecting your systems and servers from abuse.

We sign all Event Notification payloads with two SHA1 signatures included in the POST request's headers:

  • X-Hub-Signature
  • X-Glassix-Auth-Signature

both are preceded with sha1=. Choose either of them for validation.

Validate Payload Using X-Hub-Signature

  1. Generate a SHA1 (a secure hash algorithm) using the payload and your API Secret as a key to the hash.

    Create a hash using the JSON string contained in the body of the POST as input and your API secret as the key.

  2. Verify that your hash is identical to the signature in the X-Hub-Signature header (everything after sha1=):

Testing X-Hub-Signature Validation

📘

Tip:

Use this website for testing.

  1. In the Copy-paste, the string here box, paste the JSON body you received at your webhook/web API endpoint.
  2. In the Secret Key box, enter your API secret.
  3. In the Select a message digest algorithm drop-down, click SHA1.
  4. Click COMPUTE HMAC.

  1. Verify that X-Hub-Signature (everything after sha1=) you received is identical to the signature in the Computed HMAC window.

Example: X-Hub-Signature: sha1=ccfc9fdfc967c61c46339577e4ac0f7193521eeb.

Validate Request Using X-Glassix-Auth-Signature

  1. Generate a SHA1 signature using the X-Glassix-Auth-Date header and your API Secret as a key to the hash.

    Create a hash, using the property X-Glassix-Auth-Date as input and your API secret as the key.

  2. Verify that your hash is identical to the signature in the X-Glassix-Auth-Signature header (everything after sha1=).
  3. Validate that no attempt at date spoofing has been made.

Protect against data spoofing

To protect against data spoofing, we recommend the following protocol:

  1. Your webhook/web API records the sys time at which the POST request was made.
  2. Compare that date-time stamp to the X-Glassix-Auth-Date in the header.
  3. To ensure that you have not received an intercepted header, we recommend treating a difference of +/- 5 mins between the two date-time stamps as potentially malicious.

Testing X-Glassix-Auth-Signature Validation

📘

Tip:

Use this website for testing.

  1. In the Copy-paste the string here box, enter the X-Glassix-Auth-Date you received at your webhook/web API endpoint.
  2. In the Secret Key box, enter your API secret.
  3. In the Select a message digest algorithm drop-down, click SHA1.
  4. Click COMPUTE HMAC.

Verify that X-Glassix-Auth-Signature (everything after sha1=) you received is identical to the signature in the Computed HMAC window.

Example: X-Glassix-Auth-Signature: sha1=ec55832cabea8d47a037babdca1c4112c317e6a3

Add Custom Request Headers

You can set custom request headers for validating the data that are being sent to your webhook's/web API's URL.

  1. Log into your Glassix account
  2. Go to Settings.

    Settings is the cog icon

  3. In the Developers section, click on Webhooks.
  4. Click Advanced Settings.
607607

5.a) In the Header Hey and Header Value text boxes, enter your desired headers.

5.b) Optional. Click New Header and repeat step 5.a to add more headers.

  1. Click Save.

Outbound IP Addresses

Post requests from Glassix tend to originate from the following IP addresses:

IP addresses
13.70.16.77
13.72.99.16
20.50.248.137
20.53.168.19
20.73.204.39
20.195.97.9
40.74.245.255
40.83.150.252
40.115.68.94
52.155.91.26
191.235.85.21

❗️

Warning:

This list is updated from time to time and is not definitive. We, therefore, do not recommend implementing "allow-lists", i.e., filtering requests based on IP, as these addresses can vary.