> ## Documentation Index
> Fetch the complete documentation index at: https://meetbit.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Webhook Security

> Learn how to secure your webhook endpoints

Securing webhook endpoints is critical to ensure that your system only processes legitimate requests from MeetBit. Our webhook security uses a combination of a timestamp and an HMAC signature to verify each request.

## Timestamp Validation

Replay attacks occur when malicious actors intercept legitimate requests and then resends them later to trick your system into performing the same action multiple times.

To protect against this form of vulnerability, MeetBit sends an `X-Webhook-Timestamp` header along with each request.

<ParamField header="X-Webhook-Timestamp" type="string" required>
  The ISO8601 timestamp of when the webhook was sent. Used to prevent replay attacks.
</ParamField>

Whenever your endpoint receives a request, check for the presence of this header. **If the value of this header is older than 5 minutes, then disregard the request**.

## HMAC Signature

The Hash-based Message Authentication Code (HMAC) signature ensures that each webhook request is authentic and hasn’t been altered in transit. By using a shared secret to generate the signature, your system can verify that the payload truly comes from MeetBit and remains intact.

MeetBit sends an `X-Webhook-Signature` header along with each request.

<ParamField header="X-Webhook-Signature" type="string" required>
  The HMAC signature of the request. Used to verify authenticity.
</ParamField>

Compare the value of this header with an HMAC signature that your system independently computes. **If the values don't match, then disregard the request**.

### Computing the HMAC Signature

The HMAC Signature is computed by using the [destination secret](/webhooks/introduction#setup) to hash (sha256) a concatenated string composed of the Webhook ID (from the header), ISO8601 timestamp (from the header), and the JSON-encoded body of the request.

```txt Example String to Hash theme={null}
3f0e2f9b-8d44-4a7d-9c2a-1f5b2e7d9a6c.2024-08-22T01:04:05Z.{"event":"meeting_links.scheduled","data":{"id":1234}}
```

<Note>
  Take note of the period (`.`) character in between each segment of the string above.
</Note>

Computing the HMAC Signature differs from language to language. Below are some examples on how to execute this process.

<CodeGroup>
  ```php PHP theme={null}
    /* PREPARE INPUTS */
    $secret = ""; // stored securely e.g. env vars
    $id = ""; // from request header
    $timestamp = ""; // from request header
    $body = []; // from request
    $data = json_encode($body);
    
    /* BUILD MESSAGE */
    $message = "{$id}.{$timestamp}.{$data}";
    
    /* CREATE SIGNATURE */
    $signature = hash_hmac('sha256', $message, $secret);
  ```

  ```javascript Javascript theme={null}
    import crypto from 'crypto';

    /* PREPARE INPUTS */
    const secret = ''; // store securely e.g. env vars
    const id = ''; // from request header
    const timestamp = ''; // from request header
    const body = {}; // from request
    const data = JSON.stringify(body);

    /* BUILD MESSAGE */
    const message = `${id}.${timestamp}.${data}`;

    /* CREATE SIGNATURE */
    const signature = crypto
      .createHmac('sha256', secret)
      .update(message)
      .digest('hex');
  ```

  ```python Python theme={null}
    import json
    import hmac
    import hashlib
    
    # PREPARE INPUTS
    secret = b''  # bytes
    webhook_id = '' # from request header
    timestamp = '' # from request header
    body = {} # from request
    data = json.dumps(body)

    # BUILD MESSAGE
    message = f"{webhook_id}.{timestamp}.{body}".encode('utf-8')

    # CREATE SIGNATURE
    signature = hmac.new(secret, message, hashlib.sha256).hexdigest()
  ```
</CodeGroup>
