PainChek webhooks use a hash-based message authentication code (HMAC) to sign each outgoing payload. A secret is generated by PainChek (when the webhook subscription is registered) and the consuming application must hold a copy of that secret for validating each inbound payload.
The entire body of the payload is hashed using sha1 and the shared secret. This hash is then supplied in the headers of each outgoing webhook request - e.g.:
The HMAC allows the consumer of the webhook to validate both the contents of the payload have not been manipulated and the authentication of the request.
Although we don't generally recommend it, the client may optionally save an Authorization header when subscribing to a webhook.
If supplied, the details are passed via the Authorization request header
All of the standard authentication schemes are supported - basic, bearer, digest, etc - and the authentication type must be included when configuring the webhook - e.g. "Basic YWxhZGRpbjpvcGVuc2VzYW1l"
Relying on an Authorization header alone should be avoided where possible as it can open the recipient system up to impersonated attacks if the token is breached.