Skip to main content

Building an endpoint

Endpoint requirements#

  • Make sure Endpoint (or any intermediate redirect routes) does not resolve to any RFC1918 addresses.
  • Make sure Endpoint uses the HTTPS protocol
  • Endpoint should be accessible from EVA
  • Webhook should accept a POST request on endpoint
  • Implement some form of authentication on the endpoint

Verifying the signature#

Each request to Endpoint will have the following headers: X-EVA-Signing-1, X-EVA-Signing-2 and X-Eva-Signing-Headers. X-Eva-Signing-Headers will contain a comma separated list of all request headers considered in the signing process. This is helpful when operating behind a reverse proxy that might add some headers. Make sure this proxy does not remove any headers as this will render you unable to validate the requests. To validate the requests, use the following process:

1. Hashing the headers#

Only use the headers as specified in X-Eva-Signing-Headers

Transform the headers from this:

Content-Type: application/json;charset=utf-8Content-Length: 12345Authentication: Bearer MySecretToken

to:

Authentication=Bearer MySecretTokenContent-Length=12345Content-Type=application/json;charset=utf-8

Sort the headers, first by header key, then by header value Next make sure the header key and value are separated by a = Also make sure the linebreaks are \n

Then we transform this text to bytes (use UTF-8) and hash it using SHA256. Save the hash as a uppercase hexadecimal string.

2. Hashing the body#

Hash the body using SHA256. Save the hash as a uppercase hexadecimal string.

3. Calculate the hash#

Calculate the final hash as follows (store as uppercase hexadecimal string):

final_hash = sha256(header_hash + body_hash + api_key)

This hash should match either X-EVA-Signing-1 or X-EVA-Signing-2.