Practice with payload signature of WebHook

January 6, 2018

Firstly, Forge DevCon 2017 class recordings are now available! I'd recommend the class FDC122160: Seamless integration with Forge Webhooks which is a comprehensive introduction on WebHook API.

In reality,  we need to ensure the callback message is from Autodesk Forge, instead of a phishing, to prevent callback spoofing. In addition, since we could delegate same WebHook events with various subscribers, we might also need to identify if this is a callback message a specific subscriber takes care. WebHook provides the mechanism of  payload signature. The workflow is very simple:

Firstly, the subscriber provides a private token and post it to WebHook by POST tokens. The token in payload is your secret key for the HMAC hexdigest signature, you can generate that with a tool and put whatever alphanumeric between 32 and 64 characters. You will use that token to verify signature and only you should knew it.  Once a token is provided, any callback message from Autodesk will have a header element: X-Adsk-Signature, by which we could validate the message by computing the HASH SHA1 using the private token and message payload, and comparing with X-Adsk-Signature.  The last section of the on-line help tells more.

So, I used the on-line tool FreeFormatter to generate a private token. 



Next, post the private token to WebHook. In my practice, I used Postman.

post token

Each subscriber would have its own method to compute the HASH SHA1. e.g. in  how to verify payload signature, it demos by Node.js method: CryptoJS.HmacSHA1. Following this document, I setup a test Node.js project, start a tunnel by ngrok, create a WebHook for an event by the callback, and finally run/debug the Node.js project.


create webhook

Unfortunately, the signature was not match :( Finally I got I forgot to configure the parsing format of the HTTP Request to read raw body. So the callback body was computing for HASH as an object. After adding these lines with Node.js server, the signature matched now.

var app = express();
  inflate: true,
  limit: '1024kb',
  type: 'application/json'


In the last blog, I practiced with WebHook API by the on-line monitor tool RequestBin. It was simply to create a WebHook event and listen it. I tried to verify the signature from RequestBin manually. At the beginning, I used the on-line tool FreeFormatter, by inputing the callback payload and private token, but it does not match.


After some testing, I started to suspect if the algorithm of  FreeFormatter is different. So I switched to another tool MyEasyWWW. It can verify the signature matches! Although I have not got why FreeFormatter is different, this is a reminding on checking the algorithm (tool) if we found the signature is not matching, while it should match.



Posts by author

Xiaodong Liang has been with Autodesk since 2007, focusing on providing programming support, consulting, training and evangelism to external developers.