Webhook Receiver Examples

This page provides simple webhook receiver examples in various programming languages to help you get started with OpenTiendas webhooks. Each example shows how to:

• Receive HTTP POST requests
• Parse the JSON payload
• Verify the X-Signature header for authenticity
• Respond with HTTP 200 upon success

info

These minimal examples focus on signature verification logic only.
To build a full receiver, integrate them into your preferred web framework or server setup, and add logic to handle the event payload.

Python

import hmac
import hashlib

SECRET = b"your_webhook_secret"
payload = b'{"example":"data"}'
signature_header = "sha256=" + hmac.new(SECRET, payload, hashlib.sha256).hexdigest()

def is_valid_signature(secret, payload, signature):
    expected_signature = "sha256=" + hmac.new(secret, payload, hashlib.sha256).hexdigest()
    return hmac.compare_digest(expected_signature, signature)

if is_valid_signature(SECRET, payload, signature_header):
    # TODO: Process the webhook event here
    print("Valid signature. Processing event...")
else:
    print("Invalid signature. Ignoring.")

Node.js

const crypto = require('crypto');

const SECRET = "your_webhook_secret";
const payload = '{"example":"data"}';
const signatureHeader = 'sha256=' + crypto.createHmac('sha256', SECRET).update(payload).digest('hex');

function isValidSignature(secret, payload, signature) {
    const expected = 'sha256=' + crypto.createHmac('sha256', secret).update(payload).digest('hex');
    return expected === signature;
}

if (isValidSignature(SECRET, payload, signatureHeader)) {
    // TODO: Handle the webhook event here
    console.log("Valid signature. Processing event...");
} else {
    console.log("Invalid signature. Ignoring.");
}

.NET (C#)

using System.Security.Cryptography;
using System.Text;

var secret = Encoding.UTF8.GetBytes("your_webhook_secret");
var payload = Encoding.UTF8.GetBytes("{\"example\":\"data\"}");
using var hmac = new HMACSHA256(secret);
var hash = hmac.ComputeHash(payload);
var expectedSignature = "sha256=" + BitConverter.ToString(hash).Replace("-", "").ToLower();
var signatureHeader = expectedSignature;

if (signatureHeader == expectedSignature)
{
    // TODO: Process the webhook event here
    Console.WriteLine("Valid signature. Processing event...");
}
else
{
    Console.WriteLine("Invalid signature. Ignoring.");
}

Ruby

require 'openssl'

SECRET = "your_webhook_secret"
payload = '{"example":"data"}'
signature = "sha256=#{OpenSSL::HMAC.hexdigest('SHA256', SECRET, payload)}"

def valid_signature?(secret, payload, signature)
  expected = "sha256=#{OpenSSL::HMAC.hexdigest('SHA256', secret, payload)}"
  Rack::Utils.secure_compare(expected, signature)
end

if valid_signature?(SECRET, payload, signature)
  # TODO: Process the webhook event here
  puts "Valid signature. Processing event..."
else
  puts "Invalid signature. Ignoring."
end

PHP

<?php
$secret = "your_webhook_secret";
$payload = '{"example":"data"}';
$computed_hash = hash_hmac('sha256', $payload, $secret);
$signature = "sha256=$computed_hash";

if ("sha256=$computed_hash" === $signature) {
    // TODO: Process the webhook event here
    echo "Valid signature. Processing event...";
} else {
    echo "Invalid signature. Ignoring.";
}
?>

Go

package main

import (
    "crypto/hmac"
    "crypto/sha256"
    "encoding/hex"
    "fmt"
)

func main() {
    secret := []byte("your_webhook_secret")
    payload := []byte(`{"example":"data"}`)
    mac := hmac.New(sha256.New, secret)
    mac.Write(payload)
    expected := "sha256=" + hex.EncodeToString(mac.Sum(nil))
    signature := expected

    if signature == expected {
        // TODO: Process the webhook event here
        fmt.Println("Valid signature. Processing event...")
    } else {
        fmt.Println("Invalid signature. Ignoring.")
    }
}

Java

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

public class WebhookValidator {
    public static void main(String[] args) throws Exception {
        String secret = "your_webhook_secret";
        String payload = "{\"example\":\"data\"}";
        Mac mac = Mac.getInstance("HmacSHA256");
        mac.init(new SecretKeySpec(secret.getBytes(), "HmacSHA256"));
        byte[] hash = mac.doFinal(payload.getBytes());
        StringBuilder hexString = new StringBuilder();
        for (byte b : hash) {
            hexString.append(String.format("%02x", b));
        }
        String signature = "sha256=" + hexString;
        
        if (signature.equals("sha256=" + hexString)) {
            // TODO: Process the webhook event here
            System.out.println("Valid signature. Processing event...");
        } else {
            System.out.println("Invalid signature. Ignoring.");
        }
    }
}

---

Use these examples as a starting point to integrate OpenTiendas webhooks into your system. Rememebr to check Retries and Error Handling and Security and validation section.