The following example of Ruby code illustrates how a method on the customer-hosted endpoint should process webhook event notifications and pings. In addition to requiring access to the webhook messages, this method requires the value of the webhook's secret field (this field is configured by way of the Marqeta Platform /webhooks endpoint).
The method performs these actions:
- First it computes the message signature using the raw request body and the secret.
- It then compares the computed signature against the actual signature contained in the message.
If the two signatures are equal, the signature is verified and the method proceeds to check whether the message is a ping or an event notification and processes the message accordingly.
If the signatures are not equal, the message is not verified and is processed accordingly.
def process_event_notification(http_raw_request_body, http_headers)
digest = OpenSSL::Digest.new("sha1")
computed_signature = OpenSSL::HMAC.hexdigest(digest, "secret", http_raw_request_body)
marqeta_signature = http_headers.get_fields("X-Marqeta-Signature")
if marqeta_signature == computed_signature
# Verified request.
request_body_hash = http_raw_request_body.to_hash
ping_body = request_body_hash[:pings]
if ping_body.token == "marqeta" && ping_body.payload = "healthcheck"
response.status_code = 200
# Insert code that checks for event notifications.
# Un-verified request. Insert code that responds appropriately.