Webhooks Security
Ensuring secure communication between your application and Mergent is essential. There are several layers of security and validation that you can build into your web application for handling Mergent webhooks.
Mergent signs all Task/Schedule HTTP requests with the
X-Mergent-Signature header. This signature is an HMAC-SHA1 hash of the request body signed by your project's API key.Mergent libraries have support for validating this signature built in.
JavaScript:
const validator = new RequestValidator("your project's API key");
validator.validateSignature("request body", "the value of X-Mergent-Signature");
Ruby:
validator = Mergent::RequestValidator.new("your project's API key")
validator.valid_signature?("request body", "the value of X-Mergent-Signature")
Because Mergent allows you to set the request headers, it's easy to use standard or custom headers per request. Some common examples:
When creating a Task, set the request headers to include:
{ "Authorization": "Basic ..." }When creating a Task, set the request headers to include:
{ "Authorization": "Bearer ..." }Encrypting the request body when creating a Task is possible. See https://docs.mergent.co/guides/encrypting-tasks
Last modified 8mo ago