You can verify webhook requests that Livepeer.com sends to your endpoints, using the request header signature included by Livepeer.com. This signature will help you verify the incoming request comes from Livepeer.com and not a third party.
Livepeer.com will include a signature in each event’s
header. The timestamp is prefixed by
t= and the signature is prefixed by a
scheme. Schemes start with
v, followed by an integer. Currently, the only
valid signature scheme is v1. Livepeer.com generates signatures using HMAC with
To validate the signature, take the following steps:
Split the header, using the
, character as the separator, to get a list of
elements. Then split each element, using the
= character as the separator, to
get a prefix and value pair. The value for the prefix
t corresponds to the
v1 corresponds to the signature (or signatures). You can
discard all other elements.
signed_payload is the raw request payload. Note that the JSON in the
request payload includes the same
timestamp from the signature header to
protect against replay attacks.
Compare the signature (or signatures) in the header to the expected signature. For an equality match, compute the difference between the current timestamp and the received timestamp, then decide if the difference is within your tolerance.
To protect against timing attacks, use a constant-time string comparison to compare the expected signature to each of the received signatures.