Webhook Signatures

You can verify webhook requests that Livepeer.com sends to your endpoints, using the request header signature included by Livepeer.com. This signature will help you verify the incoming request comes from Livepeer.com and not a third party.

Livepeer.com will include a signature in each event’s Livepeer-Signature header. The timestamp is prefixed by t= and the signature is prefixed by a scheme. Schemes start with v, followed by an integer. Currently, the only valid signature scheme is v1. Livepeer.com generates signatures using HMAC with SHA2-256.

Livepeer-Signature: t=36285904404,v1=88f3ff0fds9sf8a98vb0b096e81507cfd5c932fc17cf63a4a55566fd38da3a2d3d2

To validate the signature, take the following steps:

Split the header, using the , character as the separator, to get a list of elements. Then split each element, using the = character as the separator, to get a prefix and value pair. The value for the prefix t corresponds to the timestamp, and v1 corresponds to the signature (or signatures). You can discard all other elements.

The signed_payload is the raw request payload. Note that the JSON in the request payload includes the same timestamp from the signature header to protect against replay attacks.

Compare the signature (or signatures) in the header to the expected signature. For an equality match, compute the difference between the current timestamp and the received timestamp, then decide if the difference is within your tolerance.

To protect against timing attacks, use a constant-time string comparison to compare the expected signature to each of the received signatures.