Webhook Security

We currently support two types of Webhook authentication:

1. Hash-based Message Authentication Code

We include x-edume-signature header so you can verify that the payload came from us. The involves hashing the raw response body using the JavaScript snippet below.

import crypto from 'node:crypto';

crypto.createHmac('sha256', signatureSecret)
  .update(JSON.stringify(payload))
  .digest('hex');

It is strongly encouraged that you perform your own validation that the request came from eduMe. This can be done by hashing the payload with the Webhook Signature Secret and making sure it matches the value of x-edume-signature.

2. JWT & OAuth 2.0

You provide us a token which we include in the webhook request as a bearer token i.e authorization: Bearer <token>.

Additionally, we support periodically updating the webhook token with access token obtained from a third-party OAuth servers. To enable this, please reach out to your dedicated Customer Success Manager, or contact our Support team (support@edume.com)