Securing Webhooks
To ensure that a Webhook is received from SCS, the call is authenticated along
with the other URL parameters. SCS encrypts the authentication using a keyed-hash message
authentication code (HMAC) algorithm.
| Parameter | Description |
|---|---|
| timestamp | The number of seconds since January 1, 1970 UTC. |
| token | A random generated string of 64 alphanumeric characters. |
| signature | The string of hexadecimal digits generated by the HMAC algorithm. |
| Parameter | Description |
|---|---|
| domain | The SCS environment that sent the Webhook. Production is https://www.reservecloud.com/login. QA is https://qa.reservecloud.com/login |
| action | The action code that triggered the Webhook cal. For example, GUEST_ROOM_BLOCK_UPDATED |
| name | The name of the Webhook from settings. |
To verify the Webhook call has been received from SCS, you must:
- Concatenate the timestamp and token values.
- Encode the concatenated string with the HMAC algorithm. The key is available in the Webhooks Interface section of Settings in SCS. The algorithm must use the SHA256 hashing function.
- Hex encode the result using lower case for alphabetic characters.
- Compare your result with the signature parameter. Optionally, you can check to see if the timestamp is not too far from the current time.