Signing and verifying Leafy Energy webhooks

Verifying that a webhook really comes from Leafy Energy

To prevent spoofing, the Leafy Energy demo signs every webhook request with an HMAC signature. You validate this signature before processing the payload.

Headers

X-Leafy-Signature: t=1710000000,v1=abcdef1234567890

• t is a Unix timestamp.
• v1 is the HMAC of timestamp + "." + raw_body using the shared secret.

Verification steps

1. Read the X-Leafy-Signature header.
2. Check that the timestamp is within an acceptable time window (for example 5 minutes).
3. Compute the HMAC with your secret and compare it to the received hash.

In demo code samples you can implement this in Node.js, Python or any other language to clarify the pattern.