Skip to main content

Security and signatures

For an additional layer of security and to confirm that incoming requests on your webhook URL are coming from Loyalty Now, we recommend verifying using our webhook signatures. We send the following HTTP headers for each request we make to a webhook URL.

  • x-l1-signature - A HMAC-SHA256 Base 64 string
  • x-l1-requestdate - A date with the format "yyyy-MM-ddTHH:mm:ssZ" Each webhook you register generates a unique secret key. We will return this key to you once the webhook has been registered.

To verify a webhook request, generate a signature using that key and compare that to the value of the x-l1-signature header.

Replay attacks are a common MITM attack vector where a valid payload and its signature is intercepted and re-transmitted. You are able to safeguard against this by using the x-l1-requestdate header and confirm that the timestamp is not too old. We recommend you discard any requests where the request date is greater than 1 minute old.

In the case of retries, a new signature and timestamp are generated for each retry request.

Creating the signature
  1. Create a string concatenating the body of the request, the webhook URL and the timestamp value from the x-l1-requestdate header.
  2. Hash the resulting string using the specific webhook secretKey with HMAC-SHA256 and encode it in Base-64.
  3. Compare the signature you generated with the signature provided in the x-l1-signature header.