Verify Smartsheet Webhook API

Question

I'm trying to verify Smartsheet's Webhook API whenever smartsheet makes a POST request to my callback URL. Has anyone worked with this before?

I need to verify the POST request is coming from Smartsheet, whenever a call is made to my Callback URL.

Following the guide here:

To authenticate a callback request:

1. Calculate the HMAC of the webhook's sharedSecret and the request body.
This must be done using the SHA-256 cryptographic hash algorithm.

2. Format the calculated value as a string in base 16.

3. Compare your result with the value of the Smartsheet-Hmac-SHA256 header of the request.

I'm using Javascript. I was able to generate an hash. I tried several approach, none of them worked. Based on best practice and from what i've worked with before, this should work:

crypto.createHash('sha256', sharedSecret).update(JSON.stringify(body)).digest('hex');

but it's not, i even tried this too:

crypto.createHash('sha256').update(sharedSecret+JSON.stringify(body)).digest('hex');

It's not working.

The body variable here is from req.body, from the payload Smartsheet sends to my callback URL, and sharedSecret is the secret provided by Smartsheet when i created the webhook.

score 0 · Accepted Answer · answered Feb 28 '20 at 18:31

I finally figured it out. I was using the wrong function. The right way to do it will be:

crypto.createHmac('sha256',sharedSecret).update(JSON.stringify(body)).digest('hex');

'hex' is the same as base 16, according to the spec.

The sharedSecret will be the key, and the body of the request needs to be converted to a string to make it work. Running this code produces the exact same string as we have in: 'smartsheet-hmac-sha256', so we can compare & verify.

Verify Smartsheet Webhook API

1 Answers1