Format & Signature
Webhooks are HTTP notifications sent from Lago to your application.
The messages are sent as a POST
to the URL defined in the settings of your
Lago workspace.
Message format
POST __WEBHOOK_URL__
{
"webhook_type": "__TYPE__",
"object_type": "OBJECT_TYPE",
"__OBJECT__": {}
}
Signature
Allong with the payload the message contains both X-Lago-Signature
and X-Lago-Signature-Algorithm
HTTP header.
It is used to ensure the message is Coming from Lago and that the message has not been altered.
To verify the signature, you must decode the signature and compare the result with the body of the webhook.
You can choose between 2 differents signatures algorithm during your webhook endpoints creation, hmac
or jwt
.
Please note that jwt
is our original signature and is used by default.
JWT Signature
1. Retrieve the public key
You should persist the public key on your side to avoid querying it for each webhook.
2. Decode and validate the signature
HMAC Signature
Decode and validate the signature
Was this page helpful?