Omnibasis uses the SHA256 hash algorithm to create a API signature. 

When webhook call made, Omnibasis creates a signature by hashing the HTTP request's body. Your application with a subscription to a webhook should hash received body and check whether it is equal with received key called abp-webhook-signature

Using Omnibasis API to validate signature

You can use API call{YOUR_SECRET_KEY} to test API signature. It will execute the call described below.

  1. In the header of the call, you need to provide abp-webhook-signature.
  2. In the URL, you need to replace {YOUR_SECRET_KEY} with a key from subscription details.
  3. Request body should contain data information.

Using Postman

You can use Postman to test the above call with a body.

Example of Webhook Verification in C#

In the example below, you need to replace YOURWEBHOOKSECRET with a secret key obtained from Webhook subscription API.

public async Task WebHookTest()
    using (StreamReader reader = new StreamReader(HttpContext.Request.Body, Encoding.UTF8))
        var body = await reader.ReadToEndAsync();

        if (!IsSignatureCompatible("YOURWEBHOOKSECRET", body))//read webhooksecret from user secret
            throw new Exception("Unexpected Signature");
        //It is certain that Webhook has not been modified.

private bool IsSignatureCompatible(string secret, string body)
    if (!HttpContext.Request.Headers.ContainsKey("abp-webhook-signature"))
        return false;

    var receivedSignature = HttpContext.Request.Headers["abp-webhook-signature"].ToString().Split("=");//will be something like "sha256=whs_XXXXXXXXXXXXXX"
    //It starts with hash method name (currently "sha256") then continue with signature. You can also check if your hash method is true.

    string computedSignature;
    switch (receivedSignature[0])
        case "sha256":
            var secretBytes = Encoding.UTF8.GetBytes(secret);
            using (var hasher = new HMACSHA256(secretBytes))
                var data = Encoding.UTF8.GetBytes(body);
                computedSignature = BitConverter.ToString(hasher.ComputeHash(data));
            throw new NotImplementedException();
    return computedSignature == receivedSignature[1];