Thy Street
  • Getting started
  • 🤖Devices
    • What is a device?
    • Create Device
    • Device Page
    • Webhook
      • Set Up and Edit Webhooks
      • Validate and test webhooks
      • Custom Adapter
  • Tariff Manager
    • What is a tariff card?
    • Create Tariff Card
    • Edit Tariff Card
  • Accounts
    • Account Settings
      • API Credentials
    • Payment
  • Frequently Asked Questions
    • What are FAQs?
    • Create a question
  • Examples
    • Liquid Vending Device
      • Hardware
      • Software
Powered by GitBook
On this page
  • Test Webhooks
  • Request interceptor
  • Application Running on Localhost
  • Validate Webhooks

Was this helpful?

  1. Devices
  2. Webhook

Validate and test webhooks

You need to validate and test the webhook before you can start using them.

PreviousSet Up and Edit WebhooksNextCustom Adapter

Last updated 3 years ago

Was this helpful?

Test Webhooks

You can test the webhooks to verify payloads or check if your webhook integration is working.

You can test webhooks:

Request interceptor

There are many free webhook testing tools available online. We will be using one such service, , to test webhooks.

To test webhooks:

  1. Open

  2. Click Create Request Bin and log in to create a private bin. Alternatively, you can opt for a public bin.

  3. Copy the endpoint created for you.

  4. Proceed to , but paste the endpoint you copied in the previous step in the Webhook URL field.

  5. After completing the device setup, you should start receiving the tariff's payload on your requestbin.com site.

Application Running on Localhost

You can refer to their respective documentation to get started. Use the URL endpoint generated by these tools in the webhook URL while setting up your webhooks.

Validate Webhooks

When your webhook secret is set, Thy Street uses it to create a hash signature with each payload. This hash signature is passed with each request under the X-ThyStreet-Signature header that you need to validate at your end.

key = webhook_secret
message = webhook_body // raw webhook request body
received_signature = webhook_signature

expected_signature = hmac('sha256', message, key)

if expected_signature != received_signature
    throw SomeSecurityException
end

Do Not Parse or Cast the Webhook Request Body

While generating the signature at your end, ensure that you are using the raw webhook request body. Do not parse or cast the webhook request body.

Handy Tips

If you have changed your webhook secret, remember to use the old secret for webhook signature validation while retrying older requests. Using the new secret will lead to a signature mismatch.

You cannot use localhost directly to receive payload as webhook delivery requires a public URL. You can handle this by creating a tunnel to your localhost using tools such as or .

The hash signature is calculated using HMAC with SHA256 algorithm, with your webhook secret set as the key and the webhook request body as the message. You can validate the webhook signature yourself using an as shown below:

🤖
ngrok
localtunnel
HMAC
requestbin.com
requestbin.com
set up webhooks
using request interceptor tools
on an application running on localhost