Webhook Reference

Import2 sends migration status updates to the webhook URL specified while registering your application via HTTP Post request. Currently, webhook functionality doesn’t re-send import status if your app was unreachable or has responded with an HTTP error.

Webhook URL is called in the following cases:

  • Customer has started a new migration
  • Import2 has completed the sample migration
  • Import2 has completed the full migration
  • Customer has started undo of the migration
  • Import2 has completed undo of the migration

Payload example:

1
2
3
4
5
6
7
8
9
10
11

Content-Type: application/json
X-Authorization-Content-SHA256: abc

{
    "id":"my-import-id",
    "token":"my-import-unique-token",
    "status_code":"scheduled",
    "status":"Sample Import in Progress",
    "users":{"source_tool":5, "destination_tool":4, "matched":3},
    "timestamp":1708989523402
}

Verification

Import2 supports webhook payload verification through X-Authorization-Content-SHA256 request header and timestamp property in the body of the webhook.

Payload verification

You can use provided webhook secret in order to generate a SHA256 signature and compare it to the signature included in the X-Authorization-Content-SHA256 header: 

1
2
3
4
5
6
7

received_signature = request.headers['X-Authorization-Content-SHA256']
local_signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), SECRET_KEY, request.body)
if received_signature == local_signature
    puts "Verified webhook message"
else
    raise "Tampered webhook message"
end

Replay attack prevention

Once the payload is verified, you can make sure that sent message was not retransmitted by checking that timestamp of the payload is not old: 

1
2
3
4
5
6

message_time = JSON.parse(payload)['timestamp']
if Time.now - 10.sec > message_time
    puts "Valid webhook message"
else
    raise "Retransmitted webhook message"
end