Securing webhook endpoints is critical to ensure that your system only processes legitimate requests from MeetBit. Our webhook security uses a combination of a timestamp and an HMAC signature to verify each request.

Timestamp Validation

Replay attacks occur when malicious actors intercept legitimate requests and then resends them later to trick your system into performing the same action multiple times. To protect against this form of vulnerability, MeetBit sends an X-Webhook-Timestamp header along with each request.
X-Webhook-Timestamp
string
required
The ISO8601 timestamp of when the webhook was sent. Used to prevent replay attacks.
Whenever your endpoint receives a request, check for the presence of this header. If the value of this header is older than 5 minutes, then disregard the request.

HMAC Signature

The Hash-based Message Authentication Code (HMAC) signature ensures that each webhook request is authentic and hasn’t been altered in transit. By using a shared secret to generate the signature, your system can verify that the payload truly comes from MeetBit and remains intact. MeetBit sends an X-Webhook-Signature header along with each request.
X-Webhook-Signature
string
required
The HMAC signature of the request. Used to verify authenticity.
Compare the value of this header with an HMAC signature that your system independently computes. If the values don’t match, then disregard the request.

Computing the HMAC Signature

The HMAC Signature is computed by using the destination secret to hash (sha256) a concatenated string composed of the Webhook ID (from the header), ISO8601 timestamp (from the header), and the JSON-encoded body of the request.
Example String to Hash
3f0e2f9b-8d44-4a7d-9c2a-1f5b2e7d9a6c.2024-08-22T01:04:05Z.{"event":"meeting_links.scheduled","data":{"id":1234}}
Take note of the period (.) character in between each segment of the string above.
Computing the HMAC Signature differs from language to language. Below are some examples on how to execute this process. 
  /* PREPARE INPUTS */
  $secret = ""; // stored securely e.g. env vars
  $id = ""; // from request header
  $timestamp = ""; // from request header
  $body = []; // from request
  $data = json_encode($body);
  
  /* BUILD MESSAGE */
  $message = "{$id}.{$timestamp}.{$data}";
  
  /* CREATE SIGNATURE */
  $signature = hash_hmac('sha256', $message, $secret);