Webhooks enable HTTP payloads to be sent to an external service when data in Ditto is changed.
Signing key requirements
Generating a signing key
uuidgen
is available:Rotating your signing key
x-ditto-request-id
— a v4 uuid uniquely identifying a given request. This identifier can be cross-referenced 1:1 with delivery history exported from inside of Ditto.x-ditto-timestamp
— a Unix timestamp identifying the time at which the request was made. This timestamp is included in the signature and can therefore be used to guard against replay attacks.x-ditto-signature
— a signature (HMAC-SHA256) created using your workspace’s webhook signing key, by concatenating the request ID, the timestamp of the request and the request body (each separated by a period).x-ditto-signature
header.
.
character
${requestId}.${timestamp}.${JSON.stringify(req.body)}
;x-ditto-signature
header. If it does not match, then the request is not valid and an error response should be returned.x-ditto-timestamp
header.
event
and data
properties.