To further increase the security of GlobalPass services, a V2 version of webhook delivery is introduced. The webhook secret is no longer exposed - it is used to generate the signature instead. In addition, webhook's headers now contain webhook's creation date.
Current webhook structure under V1:
<img src="https://cdn.livechat-files.com/api/file/kb/file/16875810/3304022bb4-963d3b56ab56af5daa1c.png" alt="">
Webhook structure under V2:
<img src="https://cdn.livechat-files.com/api/file/kb/file/16875810/9b3e979459-bcf827ec9765935f35a6.png" alt="">
Update instructions:
To enable V2 webhooks version, turn on&nbsp;V2 Delivery toggle near your Webhook URL in Verification Settings:
<img src="https://cdn.livechat-files.com/api/file/kb/file/16875810/9d983f9c7d-6fc56534bdccdce97751.png">
New headers:
<ul>
<li><code>X-GP-Signature</code></li>
</ul>
A hash signature (HMAC-SHA-256) is added to the webhook headers. This is the HMAC hex digest of the request body, and is generated using the SHA-256 hash function and the <code>Webhook secret</code> as the HMAC <code>key</code>.
To validate a webhook, use the SHA-256 hash function and your Webhook Secret (generated and visible in the Portal when adding your Webhook URL) to generate hash signature of the webhook body. Then it can be compared with the signature in the headers.
<ul>
<li><code>X-GP-Created-At</code></li>
</ul>
This header contains date when the webhook was created. Using this date, webhooks can also be validated, for example, by ignoring webhooks which were created more than 15 minutes ago.
&nbsp;

To further increase the security of GlobalPass services, a V2 version of webhook delivery is introduced. The webhook secret is no longer exposed - it is used to generate the signature instead. In addition, webhook's headers now contain webhook's creation date.

Current webhook structure under V1:



Webhook structure under V2:



Update instructions:

To enable V2 webhooks version, turn on V2 Delivery toggle near your Webhook URL in Verification Settings:



New headers:

 * X-GP-Signature

A hash signature (HMAC-SHA-256) is added to the webhook headers. This is the HMAC hex digest of the request body, and is generated using the SHA-256 hash function and the Webhook secret as the HMAC key.

To validate a webhook, use the SHA-256 hash function and your Webhook Secret (generated and visible in the Portal when adding your Webhook URL) to generate hash signature of the webhook body. Then it can be compared with the signature in the headers.

 * X-GP-Created-At

This header contains date when the webhook was created. Using this date, webhooks can also be validated, for example, by ignoring webhooks which were created more than 15 minutes ago.

 

Updating Webhooks from V1 to V2

About GloblPass

What are the Products and Services offered by GlobalPass?

How to reach out to GlobalPass? 

What are the integration possibilities?

What are the integration flows?

Is GlobalPass a data controller or data processor?

How does GlobalPass store data?

What type of documents are supported by GlobalPass?

What to do if I get an invalid token error while signing up?

I cannot download PDF

Does GlobalPass detect duplicates?

How much time does it to complete a verification?

What languages are supported for verification flow?

What are IP Threats in Geolocation?

How to use GlobalPass Trial?

How to scan a QR code?

What is the Widget?

What is Screening State?

What is the recommended approach to set up applicant verification?

What is Document Expiration Auto-Tracking?

What is Geolocation verification?

How to generate API keys & setup webhook location for integration?

Hi, how can we help?