Sift Logo Several blue dots forming a sphere to the left of the word Sift in italic font.
  • Products

    Digital Trust & Safety Suite

    Fight fraud without sacrificing growth

    Learn more →

    Passwordless
    Authentication

    Account
    Defense

    Content
    Integrity

    Payment
    Protection

    Dispute
    Management

    Sift
    Connect

    PSD2
    Solution

    New Releases & Enhancements

  • Partners

    Sift Partner
    Program

    Join the leader in Digital Trust & Safety

    Learn more →

    Commerce platform partners


  • Industries

    One solution, many applications

    Learn how Sift can work for your industry

    Learn more →

    Featured industries


    Fintech

    Retail

    Payment Service Providers

  • Customers

    See case studies by industry

    Sift works across every use case and region

    Learn more →

    Featured customers


  • Resources

    Explore our resources

    Access trends, guides, and insights from Sift

    Learn more →

    Blog

    Ebooks

    One Pagers

    Demos

    Videos

    Webinars

    Infographics

    Podcasts

    Trust & Safety University

  • Fraud Center
  • Company

    Why leaders choose Sift

    Technology, community, and partnership

    Learn more →

    Our mission: Help everyone trust the internet


    About

    Careers

    News & Press

Request a demo
Products
  • Digital Trust & Safety Suite
  • Passwordless Authentication
  • Account Defense
  • Content Integrity
  • Payment Protection
  • Dispute Management
  • Sift Connect
  • PSD2 Solution
  • New Releases & Enchancements
Why Sift
  • Salesforce
  • Magento
  • Shopify
Industries
  • Fintech
  • Retail
  • Payment Service Providers
Customers
Resources
  • Blog
  • Ebooks
  • One Pagers
  • Demos
  • Videos
  • Webinars
  • Infographics
  • Podcasts
  • Trust and Safety University
Fraud Center
About
  • Search Careers
  • Our Company
  • Contact Us
  • Engineering Blog
Request a DemoSign In
  • Blog Home
  • Product News
< prev / next >
Share this article on LinkedIn
Tweet this article
Share this article on Facebook
SOCIALICON
Share this article via email

How to Use Sift Science’s Asynchronous Webhook Notifications Securely

By Yoav Schatzberg  / 

8 Mar 2016

Last year, we launched Formulas and Actions, powerful tools for automating more of your fraud review workflow. Since then, we’ve gotten a lot of positive feedback from customers about how Actions are helping them streamline fraud management, but we’ve also gotten some questions about best practices. In this blog post, we’ll share guidelines for the best, most secure way to use Actions Webhooks to automate tasks that need to be done asynchronously.

As a very first step, you’ll need to set up some Actions, and create Formulas which will trigger those actions. You can read all about how to do that in our Formulas and Actions Tutorial.

Already got Actions set up? Great! The next step is to set up Actions Webhook Signing to validate that notifications are coming from us. Here’s how to get Actions Webhook Signing  running in 3 easy steps:

Step 1: Before setting up Action Webhooks, you’ll want to enable webhook signing so that you can verify that the notifications are coming from Sift Science. To do so, go to the API Key Tab of our developer page in the Sift Science console. There you’ll see a section called Signature Keys:

sig1

Step 2: Click on “Generate a new Signature key”, and activate the signature key:

sig2

Your new signature key is active! You may only have one active key at a time. Make a note of it, because you’ll use it later in your code base.

Now that you’ve enabled webhook signing on Sift Science, all webhook notifications generated by our Formulas and Actions will have a signature in the HTTP header under “X-Sift-Science-Signature”. This signature is calculated by generating an SHA-1 hash of your signature key and the body of the notification.

Step 3: In order to verify than an http notification is coming from Sift Science, create an SHA1 hash of your signature key combined with the body of the notification you received and compare it to the signature value in the HTTP header.  It’s that easy! Here’s some sample code to give you an idea of how your webhook verification should operate:

sig3

For additional code examples, check out our webhook authentication documentation. Questions? Contact us anytime at support@siftscience.com. Thanks for tuning in!

Related

actionswebhooks

Yoav Schatzberg

Yoav Schatzberg was a Solutions Engineer at Sift. Before Sift, Yoav worked as a Software Engineer on Software Defined Networking at Intel.

  • < prev
  • Blog Home
  • next >
Company
  • About Us
  • Careers
  • Contact Us
  • News & Press
  • Partner with us
  • Blog
Support
  • Help Center
  • Contact Support
  • System Status
  • Trust & Safety University
  • Fraud Management
Developers
  • Overview
  • APIs
  • Client Libraries
  • Integration Guides
  • Tutorials
  • Engineering Blog
Social

Don't miss a thing

Our newsletter delivers industry trends, insights, and more.

You're on the list.

You can unsubscribe at any time. Please see our Website Privacy Notice.

If you are using a screen reader and are having problems using this website, please email support@sift.com for assistance.

© 2022 Sift All Rights Reserved Privacy & Terms

Your information will be used to contact you about our service and subscribe you to our direct marketing communications. You can, of course, unsubscribe at any time. Please see our Website Privacy Notice.