Webhooks
In this guide, we will look at how to register and consume webhooks to integrate your app with Loopwise.
In this guide, we will look at how to register and consume webhooks to integrate your app with Loopwise. With webhooks, your app can know when something happens in Loopwise, such as a payment being completed or a user enrolling in a course.
Integration Guide
Webhooks provide an efficient way for your system to receive real-time notifications about events from our platform. This includes scenarios such as when an order is placed, when a refund occurs, or when a new user registers.
Handling Webhooks
Once your endpoint receives a webhook request, you should:
- Validate the Request: Ensure the request is from a trusted source.
- Parse the Data: Decode the JSON data and process it according to your business logic. For example, updating order status or recording transaction details.
- Respond to the Request: Respond to the webhook request. Typically, a HTTP status code 200 indicates successful receipt.
IP Allowlisting
To enhance security and ensure that webhook requests are only received from legitimate sources, we recommend setting up IP allowlisting for your webhook endpoints. This ensures that only requests from Loopwise's trusted IP addresses are accepted.
Loopwise Webhook IP Address
Please add the following IP address to your allowlist for incoming webhook requests:
52.194.91.27Webhook Signing and Verification
To ensure the security and integrity of webhook payloads sent from Loopwise, we implement a signing mechanism. This section explains how to use and verify the signature.
Signature
Each webhook request sent from Loopwise includes a signature in the header. This signature is computed using the payload and a secret signing key.
Header
The signature is included in the Loopwise-Webhook-Signature header of the HTTP request.
Verifying the Signature
To verify that a webhook request genuinely came from Loopwise and wasn't tampered with, you should:
- Extract the signature from the
Loopwise-Webhook-Signatureheader. - Compute the expected signature using the payload and your signing key.
- Compare the computed signature with the one in the header.
Signature Computation
The signature is computed using HMAC SHA-256. Here are examples of how to compute and verify the signature:
require 'openssl'
def verify_signature(payload, signature, signing_key)
computed_signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), signing_key, payload)
computed_signature == signature
end
# Usage
payload = request.body.read # Get the raw payload
signature = request.headers['Loopwise-Webhook-Signature']
signing_key = 'your_signing_key_here'
if verify_signature(payload, signature, signing_key)
puts "Signature verified. Process the webhook."
else
puts "Invalid signature. Reject the webhook."
endconst crypto = require("crypto");
function verifySignature(payload, signature, signingKey) {
const computedSignature = crypto
.createHmac("sha256", signingKey)
.update(payload)
.digest("hex");
return computedSignature === signature;
}
// Usage
// Assuming you have middleware to access raw body
const payload = req.rawBody;
const signature = req.headers["loopwise-webhook-signature"];
const signingKey = "your_signing_key_here";
if (verifySignature(payload, signature, signingKey)) {
console.log("Signature verified. Process the webhook.");
} else {
console.log("Invalid signature. Reject the webhook.");
}Replace 'your_signing_key_here' with the actual signing key provided by Loopwise.
Security Considerations
- Keep your signing key secret. Do not expose it in client-side code or public repositories.
- Always verify the signature before processing webhook payloads.
- Use HTTPS for all webhook endpoints to ensure the security of data in transit.
By implementing this verification process, you can ensure that the webhooks you receive are genuine and haven't been tampered with, enhancing the security of your integration with Loopwise.