Skip to main content

Webhooks

Outgoing webhook delivery format and headers for subscribed events.

Outgoing Webhooks

Outgoing Headers for Webhooks sent by Memida to your configured endpoints include:

X-Memida-Id: <webhook_delivery_id>
X-Memida-Event: <event_type>
X-Memida-Timestamp: <timestamp>
X-Memida-Signature: v1=<hmac_signature>

Verify the HMAC signature using your webhook secret to ensure the request's authenticity. The signature is generated using the HMAC-SHA256 algorithm with the following format:

HMAC-SHA256(secret, timestamp + '.' + rawJsonBody)
Webhook hmac Example (Python)
import hmac
import hashlib
import json

def verify_memida_signature(
    secret: str,
    timestamp: str,
    raw_json_body: bytes,   # unparsed raw request body
    signature_header: str,  # e.g. 'v1=abcdef...'
) -> bool:
    if not signature_header.startswith('v1='):
        return False
    received_sig = signature_header.split('=', 1)[1]

    # HMAC-SHA256(secret, timestamp + '.' + rawJsonBody)
    signed_payload = timestamp.encode('utf-8') + b'.' + raw_json_body
    expected_sig = hmac.new(
        key=secret.encode('utf-8'),
        msg=signed_payload,
        digestmod=hashlib.sha256,
    ).hexdigest()

    return hmac.compare_digest(received_sig, expected_sig)


# Example
secret = 'whsec_test_123'
timestamp = '1700000000'
raw_body = json.dumps(
    {'event_id': 'abc', 'event_type': 'apparatus.updated'},
    separators=(',', ':'),
).encode('utf-8')
signature_header = 'v1=<your_signature_from_x-memida-signature>'

print('valid' if verify_memida_signature(secret, timestamp, raw_body, signature_header) else 'invalid')

You can use the test endpoint to validate your webhook handling implementation and signature verification logic. The test endpoint will send a sample webhook payload to your configured URL, allowing you to confirm that your system correctly processes incoming webhooks and verifies signatures as expected.