When your scheduled event triggers, Schedify sends a POST request to your webhook URL, along with headers that allow you to verify the request's authenticity.

The payload will be the same as what you originally passed when scheduling the event.

📦 Headers Included:

X-Webhook-Signature: <HMAC signature>
X-Webhook-Timestamp: <Unix timestamp>
X-Webhook-ID: <Webhook ID>

Use these headers and the request body to validate the signature. The signature is a base64-encoded HMAC-SHA256 hash, generated using your webhookSecret.

🔐 Signature Generation Logic (Go):

func generateSignature(secret string, webhookID string, payload []byte) (string, int64, error) {
    timestamp := time.Now().UTC().Unix()

    // webhook_id.timestamp.payload
    signingPayload := fmt.Sprintf("%s.%d.%s", webhookID, timestamp, string(payload))

    h := hmac.New(sha256.New, []byte(secret))
    if _, err := h.Write([]byte(signingPayload)); err != nil {
        return "", timestamp, fmt.Errorf("failed to create HMAC: %w", err)
    }

    signature := base64.RawURLEncoding.EncodeToString(h.Sum(nil))
    return signature, timestamp, nil
}

To verify the signature:

1. Extract the values of X-Webhook-ID and X-Webhook-Timestamp from the headers.
2. Read the raw request body (the payload you sent when scheduling).
3. Reconstruct the string as webhook_id.timestamp.payload.
4. Use your webhookSecret to compute the HMAC-SHA256 signature.
5. Compare it with X-Webhook-Signature. If they match, the request is authentic.

❗️ Reject the request if the signature doesn’t match, or if the timestamp is too old (e.g., older than 5 minutes) to prevent replay attacks.