Webhook clients have the option to set up an HMAC signature with us to validate that the webhook payload is authentically from Treet. To get started, reach out to the Treet team at support@treet.co and express your interest. Afterwards, we will provide you with:
  • A secret key which you can use to sign the incoming webhook payload.
  • An additional X-Treet-Signature header as part of our webhook requests, with a hashed value of the request data.
With the secret key, you may sign the incoming webhook payload and compare it against our Signature header. Here is an example of how the payload can be validated with Node.js and Express: 
const assert = require("assert");
const crypto = require("crypto");
const express = require("express");
const app = express();

// Collect raw payload buffer
app.use(express.raw({
  type: "*/*",
  verify: function (req, _res, buf) {
    if (Buffer.isBuffer(buf)) {
      req.buffer = buf;
    }
  },
}));

app.use(express.json());
app.post("/endpoint", (req, res) => {
  // Calculate the HMAC signature using the secret key from Treet
  const hmac = crypto
    .createHmac("sha256", "<secret key>") // substitute secret
    .update(req.buffer, "utf8")
    .digest("base64");
  
  // Validate it against the signature from Treet. Request is valid if the
  // Treet signature and calculated HMAC signature match.
  const signature = req.get("X-Treet-Signature");
  assert.equal(hmac, signature);
  res.json({ signature });
});

app.listen(8888, () => {
  console.log("listening on 8888");
});