search

Signature Verification

Incoming webhook requests include two headers:

hashtag
Headers

  • X-Fortisx-Event-Id — unique id (use for idempotency).

  • X-Fortisx-Signaturet=<unix_ts>, v1=<hex(hmac_sha256(raw_body, secret))>.

Compute HMAC over the raw request body bytes (exact byte stream), not a re‑serialized JSON.

hashtag
Verification checklist

  1. Parse X-Fortisx-Signature to t and v1.

  2. Validate timestamp drift ±5 minutes.

  3. Compute expected = HMAC_SHA256(raw_request_body_bytes, secret).

  4. Constant‑time compare expected vs v1.

  5. Ensure idempotency via X-Fortisx-Event-Id.

hashtag
cURL (simulate delivery)

curl -X POST "https://your-app.test/webhooks/fortisx" \
  -H "Content-Type: application/json" \
  -H "X-Fortisx-Event-Id: evt_01HXYZA12B" \
  -H "X-Fortisx-Signature: t=1730548800, v1=<your_hex_digest>" \
  -d '{
    "id": "evt_01HXYZA12B",
    "type": "alert.created",
    "occurredAt": "2025-11-02T12:40:00Z",
    "data": {
      "id": 1119,
      "networkCode": "SOL",
      "stakingPoolId": 82,
      "eventType": "TVL_Spike",
      "windowMinutes": 60,
      "valueFrom": "5200000.000000000000000000",
      "valueTo": "6050000.000000000000000000",
      "unit": "USD",
      "tokenSymbol": "SOL",
      "deltaAbs": "850000.000000000000000000",
      "deltaRelPct": "16.346154",
      "detectedAt": "2025-11-02 12:40:00"
    }
  }'

Compute the digest over exact bytes above (including spaces/newlines).

hashtag
Delivery & Retries

  • Return 2xx within 5 seconds.

  • Retries on non‑2xx responses with exponential backoff.

  • Enqueue heavy work and respond immediately.

  • Implement idempotency via X-Fortisx-Event-Id (deduplicate).

hashtag
Troubleshooting

  • Signature mismatch — recompute HMAC on raw bytes and verify secret.

  • Timestamp out of window — check server clock and header t.

  • Duplicate deliveries — ensure idempotency by X-Fortisx-Event-Id.

PreviousOverview & EventNextVerification Examples

Last updated