Signature Verification

Marqeta platform webhooks provide an optional layer of security beyond the required Basic Authentication. This optional security layer both authenticates the message and validates message integrity by employing HMAC-SHA1 (keyed-hash message authentication code — Secure Hash Algorithm 1). In order to use this security layer, the customer-hosted endpoint must be configured to verify the message signature. This page provides information on how to implement signature verification.

Processing webhooks
Copy section link
Copy section link

The following example of Ruby code illustrates how a method on the customer-hosted endpoint should process webhook event notifications and pings. In addition to requiring access to the webhook messages, this method requires the value of the webhook’s secret field (this field is configured using the Marqeta platform’s /webhooks endpoint).

The method performs these actions:

First, it computes the message signature using the raw request body and the secret. It then compares the computed signature against the actual signature contained in the message. If the two signatures are equal, the signature is verified and the method proceeds to check whether the message is a ping or an event notification and processes the message accordingly.

If the signatures are not equal, the message is not verified and is processed accordingly.

Ruby
Copied

Is this helpful?

Yes

DOCS

Community

Sales

Signature Verification

Processing webhooks
Copy section link
Copy section link

Subscribe to our developer newsletter

Core API Reference

Core API Explorer

DiVA API Reference

Signature Verification

Processing webhooks Copy section linkCopy section link

Related materials

Guides / About Reporting

Core API Reference / Authentication

Guides / About Transactions

Guides / Security

Guides / About Webhooks

Subscribe to our developer newsletter

Processing webhooks
Copy section link
Copy section link