How do I verify that the Voice API Webhook request and it's payload has not been tampered during transit?

Vonage API Support March 17, 2025 00:31

Objective

Steps to verify that the Voice API Webhook request and its payload have remained intact and untampered with during transit.

There are two parts to validating signed webhooks:

Verifying the request

Webhooks will include a JWT in the Authorization header. Use the API key included in the JWT claims to identify which of your signature secrets has been used to sign the request. The secret used to sign the request corresponds to the signature secret associated with the API_key included in the JWT claims. You can identify your signature secret on the Dashboard.
Reference Code Snippet to Verify the Webook request can be found here.
Verifying the payload

Once you have verified the authenticity of the request, you may optionally verify the request payload has not been tampered with by comparing a SHA-256 hash of the payload to the payload_hash field found in the JWT claims. If they do not match, then the payload has been tampered with during transit.

These are the steps that can be followed to verify the payload:

- - Create an object of the search/query parameters for GET or the request body POST. The order of the properties in the object has to match the order of the parameters.
  - Convert that object to a JSON string. There has to be no whitespace surrounding the properties of the string.
  - Hash that string using SHA-256, then compare it to the payload_hash claim in the JWT token.