Mergent
Search…
Webhooks Security
Ensuring secure communication between your application and Mergent is essential. There are several layers of security and validation that you can build into your web application for handling Mergent webhooks.

Validating Origin Signatures

Mergent signs all Task/Schedule HTTP requests with the X-Mergent-Signature header. This signature is an HMAC-SHA1 hash of the request body signed by your project's API key.
Mergent libraries have support for validating this signature built in.
JavaScript:
const validator = new RequestValidator("your project's API key");
validator.validateSignature("request body", "the value of X-Mergent-Signature");
Ruby:
validator = Mergent::RequestValidator.new("your project's API key")
validator.valid_signature?("request body", "the value of X-Mergent-Signature")

HTTP Authentication / Authorization

Because Mergent allows you to set the request headers, it's easy to use standard or custom headers per request. Some common examples:

Basic Authentication

When creating a Task, set the request headers to include: { "Authorization": "Basic ..." }

Bearer Authentication

When creating a Task, set the request headers to include: { "Authorization": "Bearer ..." }

Encryption

Encrypting the request body when creating a Task is possible. See https://docs.mergent.co/guides/encrypting-tasks
Copy link
On this page
Validating Origin Signatures
HTTP Authentication / Authorization
Encryption