Signature Verification
Each Webhook request includes a signature. Verify it on your server to ensure the request really came from TWT Chat.
Signature Algorithm
- Algorithm: HMAC-SHA256
- Secret: your AppSecret
- Signed payload: the raw request body
- Output: lower-case hex string
The signature is delivered in the X-Chat-Signature header.
Verification Steps
- Read the
X-Chat-Signatureheader - Compute HMAC-SHA256 using the raw request body and your AppSecret
- Compare the lower-case hex result with the header value
- Accept the request if they match; otherwise reject it
Code Examples
PHP
<?php
$rawBody = file_get_contents('php://input');
$appSecret = 'YOUR_APP_SECRET';
$signature = hash_hmac('sha256', $rawBody, $appSecret);
$headerSignature = $_SERVER['HTTP_X_CHAT_SIGNATURE'] ?? '';
if (hash_equals($signature, $headerSignature)) {
// Signature verified
} else {
// Verification failed, reject the request
http_response_code(403);
exit;
}
Python 3
import hmac
import hashlib
raw_body = request.get_data(as_text=True)
app_secret = 'YOUR_APP_SECRET'
signature = hmac.new(
app_secret.encode(),
raw_body.encode(),
hashlib.sha256
).hexdigest()
header_signature = request.headers.get('X-Chat-Signature', '')
if hmac.compare_digest(signature, header_signature):
# Signature verified
pass
else:
# Verification failed
abort(403)
Node.js
const crypto = require('crypto');
const rawBody = req.body; // Raw string body, not a parsed object
const appSecret = 'YOUR_APP_SECRET';
const signature = crypto.createHmac('sha256', appSecret).update(rawBody).digest('hex');
const headerSignature = req.headers['x-chat-signature'] || '';
if (signature === headerSignature) {
// Signature verified
} else {
// Verification failed
res.status(403).end();
}
Go
import (
"crypto/hmac"
"crypto/sha256"
"encoding/hex"
)
func verifySignature(rawBody []byte, appSecret, headerSignature string) bool {
mac := hmac.New(sha256.New, []byte(appSecret))
mac.Write(rawBody)
expected := hex.EncodeToString(mac.Sum(nil))
return hmac.Equal([]byte(expected), []byte(headerSignature))
}
Java (JDK 8+)
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
String rawBody = // Read the raw request body
String appSecret = "YOUR_APP_SECRET";
Mac mac = Mac.getInstance("HmacSHA256");
mac.init(new SecretKeySpec(appSecret.getBytes("UTF-8"), "HmacSHA256"));
byte[] hash = mac.doFinal(rawBody.getBytes("UTF-8"));
StringBuilder sb = new StringBuilder();
for (byte b : hash) {
sb.append(String.format("%02x", b));
}
String signature = sb.toString();
// Compare against the X-Chat-Signature request header