Building trust between Leafy Energy and your endpoint
Webhooks are a powerful way to push events into your systems. In the demo we focus on verifying that a webhook truly comes from Leafy Energy.
Shared secret per endpoint
- When you register a webhook endpoint, Leafy Energy generates a secret.
- You use this secret to validate an HMAC signature.
Example of a signed header
X-Leafy-Signature: t=1710000000,v1=abcdef123456...The payload is hashed together with the timestamp and the secret. On your side you compute the same hash and compare the values.
Security tips
- Reject webhooks with timestamps that are too old.
- Always use HTTPS for your endpoint.
- Log failed verifications as security signals.
Comments
0 comments
Please sign in to leave a comment.