Skip to content
Pledge Pledge Pledge Developer Guides

Verifying Webhooks

You can subscribe to webhooks that notify your application via a POST request to webhook endpoints configured on your account. You can configure webhook endpoints in your Impact Hub or via our API.

Pledge sends a header named Pledge-Signature along with webhooks, which allows you to verify that the webhook event is coming from us. Pledge generates the signature using a hash-based message authentication code (HMAC) with SHA-256. To verify that the webhook is coming from Pledge, compute an HMAC with the SHA256 hash function using your primary api_key as the key, and the webhook’s payload as the message, and then Base64 encode the result. Compare the computed signature to the value of the Pledge-Signature header. If they match, then you can be sure that the webhook event came from Pledge.

Webhook Verification Code Examples

Section titled “Webhook Verification Code Examples”

Ruby

Section titled “Ruby”
require 'base64'
require 'openssl'
require 'active_support/security_utils'


calculated_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest('sha256', api_key, data))
ActiveSupport::SecurityUtils.secure_compare(calculated_hmac, pledgeling_header)

Python

Section titled “Python”
import hmac
import hashlib
import base64


digest = hmac.new(api_key, data.encode('utf-8'), hashlib.sha256).digest()
computed_hmac = base64.b64encode(digest)


return hmac.compare_digest(computed_hmac, pledgeling_header.encode('utf-8'))