How do I verify the webhook signatures?

Any webhooks sent from Pylon will have an X-Pylon-Signature header. The header can be used verify that the webhook originated from Pylon's servers.

When a webhook is created, you'll see a secret. Keep this secret around and you can use it to compute signatures on webhooks you receive and compare them against the value in the X-Pylon-Signature header. Matching signatures indicates the webhook came from Pylon and was not tampered with.

For example, to compute the signature in Go:

func ComputeSignature(secret string, payloadBytes []byte) string {
	hasher := hmac.New(sha256.New, []byte(secret))
	hasher.Write(payloadBytes)
	return hex.EncodeToString(hasher.Sum(nil))
}