0

I have created a webhook with intuit developer account https://developer.intuit.com/app/developer/qbo/docs/develop/webhooks#configuring-webhooks

It works fine, my question is how to use the verifier token in order to secure the webhook?

I see various intuit headers but not sure how to use them

headers

Petran
  • 7,677
  • 22
  • 65
  • 104

1 Answers1

0

There is a detailed documentation

  1. Hash the notification payload with HMAC_SHA256_ALGORITHM using your verifier token as the key.
  2. Convert the intuit-signature header from base-64 to base-16.
  3. Compare the value from step 1 to the intuit-signature header from the notification. The values should be identical.

https://developer.intuit.com/app/developer/qbo/docs/develop/webhooks/managing-webhooks-notifications#validating-the-notification

Here is some more information how to generate the HMAC hash (Using HMAC SHA256 in Ruby) and how to convert the base64 signature to base16 (Converting a hexadecimal digest to base64 in Ruby). To compare the values Rails does implement a safe_compare method (https://api.rubyonrails.org/classes/ActiveSupport/SecurityUtils.html).

Christian Bruckmayer
  • 2,167
  • 6
  • 10