Verifying and Validating Webhooks

ChargeOver sends data within webhooks that you can use to verify that the webhook is from ChargeOver rather than from another source.

When you configure webhooks in your ChargeOver account, you will see a field for your "Webhook/callback secret token or encryption key." When you receive a webhook from ChargeOver, you will be able to see an identical token/key to the one generated in your account in two places within the webhook itself:

• The security_token embedded in the JSON request of each webhook
• This value is also sent in a HTTP header called X-ChargeOver-Key

Locating your security key/token in a webhook

The security_token and the X-ChargeOver-Key can be seen in the example below.

POST /path/to/your/endpoint HTTP/1.1
Content-Type: application/json
X-ChargeOver-Key: SFkJ3fy02n17YxNXm96tCGUKVTOAIBsH
X-Chargeover-Source: example.chargeover.com

{
    "context_str": "user",
    "context_id": 370,
    "event": "insert",
    "data": {
        "user": {
            "user_id": 770,
            "external_key": null,
            "first_name": "Denise",
            "middle_name_glob": null,
            "last_name": "Wong",
            "name_suffix": null,
            "title": "",
            "email": "denise.k.wong@example.com",
            "token": "04lukh1f05rp",
            "phone": "403-568-4968",
            "custom_1": null,
            "custom_2": null,
            "custom_3": null,
            "custom_4": null,
            "custom_5": null,
            "user_type_id": 1,
            "write_datetime": "2017-08-18 13:43:42",
            "mod_datetime": "2017-10-05 17:51:22",
            "name": "Denise Wong",
            "display_as": "Denise Wong",
            "url_self": "https:\/\/karlitestaccount.chargeover.com\/admin\/r\/contact\/view\/770",
            "user_type_name": "Billing",
            "username": "hf20iutg6d9m",
            "customer_id": 413
        }
    },
    "security_token": "SFkJ3fy02n17YxNXm96tCGUKVTOAIBsH"
}