Verifying Webhook Signature?


I’m using a webhook in conjunction with AWS Lambda and would like to verify the connection. I don’t think I can access the shared secret as part of the handshake. Are there other considerations for verifying the connection?

Ooh, yes, that would be a concern, since your AWS lambda function must echo the content of the secret header back during the handshake - that is, it has to reply with the same header for the handshake to succeed.

One solution might be covered here: Pass custom headers through API Gateway to a Lambda function | AWS re:Post It sounds like AWS API Gateway can be given intermediate transformation functions that will take the headers and pack them into the body that’s passed to lambda and (probably) vice-versa, and these would both need to happen for the handshake to succeed.

1 Like