Is the documentation for Webhook Signatures correct

Looking at Webhooks
it says that the signature consist of signature = BASE64 ( HASH ( url_path + salt + …

But when looking at the Magento implementation Rapyd-Magento2/Webhook.php at 13401f68af14d4543217a92cb07e097fd0bfbfae · RapydPayments/Rapyd-Magento2 · GitHub
it consist of:
$sig_string = $http_method . $path . $salt .

Is it meant to be with or without http_method?

Edit: or maybe the Magento implementation is wrong as it also expects the access key to be in the header $access_key = $headers[‘accessKey’]; and the documentation isn’t mentioned about this, as the webhook call, I have received didn’t have any access key in the header either.

1 Like

Ok - found the answer: the http_method isn’t part of the signature in a webhook request

1 Like