Webhook Best Practices
Handling duplicate events
Your webhook endpoints may occasionally receive the same event more than once. This is due to the nature of network connectivity. We recommend making your event processing idempotent to handle duplicate events. One way of doing this is to log events that you’ve processed and to skip processing for already-logged events.
Webhook event ordering
You are not guaranteed to receive webhook events in the order they were created. For example, a network blip may cause an event to be retried and received after a newer event. Please utilize the data.attributes.created-at
field to determine creation ordering.
Checking signatures
Requests from webhooks will contain a Persona-Signature
header with a hexadecimal-encoded HMAC. You should check that any request is authentic and safe to process by comparing this value with your own digest, computed from the request body and your webhook secret. Your webhook secret can be found in the Webhooks section of the Dashboard.
The Persona-Signature
header contains two comma-separated key-value pairs encoding information about the request. The first key-value pair will be in the form t=<unix_timestamp>
and represents the unix time that the request was sent. The second key-value pair will be in the form v1=<signature>
, where the signature is computed from your webhook secret and a dot-separated string composed of the unix timestamp joined with the request body.
It’s possible to have more than one valid signature for a webhook if its’ secrets are in the process of rotating. You can rotate your webhook secrets either via the Dashboard or the rotate secret API. In this case, the Persona-Signature
header will contain two space-separated sets of the key-value pairs described above.
Sample code for checking signatures:
Parsing JSON when computing HMACs
In some languages, parsing the JSON may result in something that’s not equivalent to the request body. For example, JavaScript may round floats and reduce precision. We recommend using the raw request body when computing the HMAC.
CSRF protection
If you’re using Rails, Django, or another web framework, your site might automatically check that every POST request contains a CSRF token. This is an important security feature that helps protect you and your users from cross-site request forgery attempts. However, this security measure might also prevent your site from processing legitimate events. If so, you might need to exempt the webhooks route from CSRF protection.