Authentication
To ensure the security and integrity of your interactions with our API, we require all requests to be authenticated using an API key. This key uniquely identifies your application and authorizes your API calls.
Obtaining Your API Key
Your API key can be obtained from the Developer Dashboard upon registering your application at https://zeroxpay.com/developer (opens in a new tab). Keep your API key confidential to prevent unauthorized access to your account.
This API key can also be used for webhook authentication.
Webhook Authentication
Securing your webhooks is crucial to ensure that the data received by your endpoints comes from a trusted source. To authenticate webhook requests from our servers, we use the same API key provided for API requests. This section explains how to verify webhook requests using your API key.
Verifying Webhook Signatures
Each webhook request includes a signature in the request headers. This signature is generated using your API key, ensuring that the request is indeed from our servers.
Step 1: Retrieve the Signature
Look for the signature in the headers of the incoming webhook request. The signature is typically found in a header named X-Signature.
X-Signature: SIGNATURE_HEREStep 2: Generate Your Own Signature
To verify the signature, you need to generate a hash using the payload of the webhook and your API key. Depending on the algorithm used (e.g., HMAC SHA256), you can generate the hash in your server-side code.
For example, if using HMAC SHA256, your code to generate a hash might look like this:
const crypto = require("crypto");
function generateSignature(payload, apiKey) {
return crypto.createHmac("sha256", apiKey).update(payload).digest("hex");
}Ensure you replace payload with the actual payload of the webhook and apiKey with your API key.
Step 3: Compare the Signatures
Finally, compare the signature you've generated with the one provided in the X-Signature header. If they match, the webhook request is authenticated.
Example Code
Here is an example code snippet showing how to verify a webhook signature:
const express = require("express");
const bodyParser = require("body-parser");
const crypto = require("crypto");
const app = express();
app.use(bodyParser.json());
app.post("/webhook", (req, res) => {
const apiKey = "YOUR_API_KEY_HERE"; // Replace with your API key
const signatureHeader = req.headers["x-signature"];
const payload = JSON.stringify(req.body);
const generatedSignature = generateSignature(payload, apiKey);
if (signatureHeader === generatedSignature) {
console.log("Webhook verified successfully.");
// Process the webhook payload
} else {
console.log("Webhook verification failed.");
return res.status(401).send("Unauthorized");
}
res.status(200).send("OK");
});
function generateSignature(payload, apiKey) {
return crypto.createHmac("sha256", apiKey).update(payload).digest("hex");
}
const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
console.log(`Server is running on port ${PORT}`);
});Note: Replace YOUR_API_KEY_HERE with your actual API key. This example uses Express.js for handling HTTP requests and the crypto module for generating hashes.
This approach ensures that your webhook endpoints only accept requests that can be verified as originating from our servers, using the API key as a shared secret for generating and verifying signatures.