Webhooks are a way for Loanwise to notify your application when a specific event occurs. For example, when a household is analysed, a webhook can be triggered to notify your application.
Authentication
Webhooks are authenticated using a secret key that is unique to your account. This secret key is used to sign the payload of the webhook. The signature is passed in the Signature header of the webhook request.
Our signing method is simple but efficient. For every webhook we call, we pass an additional header called Signature that contains the hash of the payload.
In your webhook, you can validate if that Signature header contains the hash you expected.
Computing the correct signature
$computedSignature = hash_hmac('sha256', $payload, $secret);- The
$payloadis the body of the POST request, which will be a JSON representation of the event. - The
$secretcan be set on the developer page in your dashboard. - The
hash_hmac()function is a PHP function that generates a keyed hash value using the HMAC method. - The
$computedSignatureshould match the Signature header in the webhook call.