Authentication & responses

Webhooks secret

A webhook secret is a key used to calculate the HTTP_TOGGLE_SIGNATURE and is passed in the header of every request.

This adds a security layer between the two apps (Toggle and your App) to make sure the payload that you receive has not been tampered with. The signature is a hash of the entire payload, signed using the signing secret that we have supplied to you. Every request received by your application should compare this signature to your own, in order to ensure that it is not fraudulent.

The secret will be provided by the Toggle support team when you first set up a web hook with us.

Handling requests

Before accepting any webhook sent to you, you should verify it by checking the hashed contents.

The following example (in PHP) is how you could calculate the secret and check the payload.

function verifySignature($signingSecret, $payload) {
    $sig_header = $_SERVER['HTTP_TOGGLE_SIGNATURE'];
    $computedSignature = hash_hmac('sha256', $payload, $signingSecret);
    return hash_equals($sig_header, $computedSignature);

Response and attempts

We will expect a 200 response from your server. In case of failure we will attempt to dispatch the web hook another 3 times before giving up.

In order to prevent timeouts, we recommend that your server responds to webhook events prior to any logic being executed.

We will disable your endpoint if we receive invalid responses from your server over consecutive days.

Last updated