When we send event information using your Webhook URL, we include an event hash object. You can use this hash object (generated with an HMAC-SHA256 algorithm), event time, event type, and your webhook ID to verify that the event is coming from SignWell.

key = "Webhook ID sent in the webhook POST resource or get it from webhook LIST endpoint"

data = "#{params['event']['type']}@#{params['event']['time']}"
expected_signature = params['event']['hash']
calculated_signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, key, data)
ActiveSupport::SecurityUtils.secure_compare(calculated_signature, expected_signature) # Will be true if signatures match

key = "Webhook ID sent in the webhook POST resource or get it from webhook LIST endpoint"

data = params['event']['type'] + '@' + str(params['event']['time'])
expected_signature = params['event']['hash']
calculated_signature = hmac.new(key.encode('utf-8'), data.encode('utf-8'), hashlib.sha256).hexdigest()
hmac.compare_digest(expected_signature, calculated_signature)  # Will be True if signatures match