Signed requests
Sign events and webhooks
Signing requests
Both webhooks and events can be signed for extra security.
Signing webhooks
For webhooks if you'd like the requests to be signed to ensure that they are authentic requests from formsort, you can enable the sign
security. Read more about creating a webhook here.
Signing events
All events for variant_revision_published
are signed by default. The signature for verfication can be found on the "Events" page.

Note: The signing key is generated by Formsort, and is different across events and webhooks.
How to verify a signature
To generate the signature for verification, use the original HTTP request body (aka JSON payload) and:
Hash the request body with SH256, encrypting it with signing key.
You can obtain the key in the Integrations tab when this option is enabled.
Base64 encode the result in a URL-safe-way, using
-
and_
instead of the+
and/
characters. This is necessary as Formsort sends the signature in an HTTP header.Remove the trailing
=
signs. Those are often generated by the hashing libraries as padding.
Sample implementations of the signature code follow:
import base64
import hashlib
import hmac
def as_bytes(v):
return v.encode("utf8")
def hmac_sign(signing_key, original_request_body): # unmodified, a jsonified string
key = as_bytes(signing_key)
message = as_bytes(original_request_body)
return (
# Note:
# 1. for url safety, use - and _ characters instead of + and / respectively
# 2. remove the padding = signs at the end of the signature
base64.urlsafe_b64encode(
hmac.new(key, message, hashlib.sha256).digest())
.rstrip(b"=")
.decode("utf8")
)
Note
When signing is enabled, Formsort will send the following additional HTTP headers on webhook requestsIf signature is enabled, then X-Formsort-Secure
will have the value of "sign"
and X-Formsort-Signature
will have the signature itself.
X-Formsort-Secure
sign
X-Formsort-Signature
{the hash}
Last updated
Was this helpful?