I want webhook send request API will have a attribution identify.

[anhthh]

I created a webhook with event receipts were created. I want loyverse webhook should be attribute identify at header. How can i do that?

[Yasuaki]

Hello @anhthh

There are 3 ways of creating webhooks in Loyverse.

1. Create webhook from https://r.loyverse.com/dashboard/#/webhooks
2. Create webhook from /webhook endpoint using an Access token.
3. Create webhook from /webhook endpoint using OAuth 2.0.

Only when you create a webhook by 3. the webhook will contain X-Loyverse-Signature in the Header.

We use the HMAC algorithm with SHA-1 as a hash function.

[DaveHerbert]

can you please clarify option 2. Create webhook from /webhook endpoint using an Access token.

[Yasuaki]

5 hours ago, DaveHerbert said:

can you please clarify option 2. Create webhook from /webhook endpoint using an Access token.

You can create a webhook from this endpoint authorizing your post by an access token.
https://developer.loyverse.com/docs/#tag/Webhooks/paths/~1webhooks~1/post

[DaveHerbert]

can i authenticate a incoming webhook from the loyverse dashboard tool with just an access token without creating an app

[Yasuaki]

8 hours ago, DaveHerbert said:

can i authenticate a incoming webhook from the loyverse dashboard tool with just an access token without creating an app

Hello. 

No, the webhook doesn't contain your access token.

This is an example header of a webhook created with an access token.

[DaveHerbert]

Ok thanks. So my question is, how can we authenticate a webhook created from https://r.loyverse.com/dashboard/#/webhooks?

I read in another post that only when you create a webhook from /webhook endpoint using OAuth 2.0.. the webhook will contain X-Loyverse-Signature in the Header.

Edited September 6, 2024 by DaveHerbert

[Tanaka_Shotaro]

For your information, X-Loyverse-Signature is generated by using your secret key.

So, it is not possible for Loyverse to generate X-Loyverse-Signature without you using OAuth2.0.

[DaveHerbert]

Ok thanks. So my question is, how can we authenticate a webhook created from the dashboard tool?

On 7/24/2024 at 7:33 AM, Yasuaki said:

There are 3 ways of creating webhooks in Loyverse.

1. Create webhook from https://r.loyverse.com/dashboard/#/webhooks
2. Create webhook from /webhook endpoint using an Access token.
3. Create webhook from /webhook endpoint using OAuth 2.0.

Only when you create a webhook by 3. the webhook will contain X-Loyverse-Signature in the Header.

We use the HMAC algorithm with SHA-1 as a hash function.

Could you please clarify how to authenticate a webhook using option 1. Create webhook from https://r.loyverse.com/dashboard/#/webhooks?

because you say only when you create a webhook by 3. the webhook will contain X-Loyverse-Signature in the Header. 

[Tanaka_Shotaro]

13 hours ago, DaveHerbert said:

Ok thanks. So my question is, how can we authenticate a webhook created from the dashboard tool?

Could you please clarify how to authenticate a webhook using option 1. Create webhook from https://r.loyverse.com/dashboard/#/webhooks?

because you say only when you create a webhook by 3. the webhook will contain X-Loyverse-Signature in the Header. 

Hello,

If you’re looking to authenticate a webhook using methods other than the ones provided, you may need to devise your own authentication approach.

Here are a couple of ideas from me:

Manual Verification: For instance, if you want to verify the "receipts.update" webhook, you could send a request to retrieve the list of receipts after receiving the webhook and compare the response to ensure the webhook data matches.

IP Address Authentication: You can send a test webhook to yourself to identify the originating IP address, then whitelist that IP to secure your webhook.