Signature verification

Every webhook request arrives with:

X-Infi-Timestamp: unix timestamp in seconds.
X-Infi-Signature: sha256=<hex>, where <hex> is the HMAC-SHA256 computed over the concatenation "{timestamp}.{raw body}" using the webhook secret.

Algorithm

Capture the raw body of the request (bytes, before any JSON parsing).
Capture the X-Infi-Timestamp and X-Infi-Signature headers.
Concatenate: payload = "{timestamp}.{rawBody}".
Compute expected = HMAC-SHA256(WEBHOOK_SECRET, payload) and encode in hex.
Compare "sha256=" + expected with the received header in constant time.

Use the raw body, not re-serialized JSON

The signature is over the exact bytes sent. Re-serializing the JSON on your side can change key order or spacing and break the verification. Configure your framework to preserve the raw body (e.g., in Express use express.raw({ type: 'application/json' })).

Where to get the `WEBHOOK_SECRET`

The secret is delivered together with your API key, through the secure channel agreed with INFI (encrypted email or dashboard). Do not expose it in public source code or logs — store as an environment variable.

Replay mitigation

Recommended: reject webhooks with X-Infi-Timestamp too old (e.g., > 5 minutes). This protects against replay of legitimate webhooks captured in transit.

Examples

# Shell validation — usually delegated to the application language.
# Concept:
#   payload="${TIMESTAMP}.${RAW_BODY}"
#   expected=$(echo -n "$payload" | openssl dgst -sha256 -hmac "$INFI_WEBHOOK_SECRET" | awk '{print $2}')
#   [[ "sha256=$expected" == "$X_INFI_SIGNATURE" ]]

import crypto from 'node:crypto'
import express from 'express'
 
const app = express()
app.use('/webhooks/infi', express.raw({ type: 'application/json' }))
 
app.post('/webhooks/infi', (req, res) => {
  const ts        = req.header('X-Infi-Timestamp') || ''
  const sigHeader = req.header('X-Infi-Signature') || ''
  const sigHex    = sigHeader.startsWith('sha256=') ? sigHeader.slice(7) : ''
 
  // Anti-replay: reject timestamps older than 5 minutes
  const tsNum = Number(ts)
  if (!Number.isFinite(tsNum) || Math.abs(Date.now() / 1000 - tsNum) > 300) {
    return res.status(401).end()
  }
 
  const payload  = `${ts}.${req.body.toString('utf8')}`
  const expected = crypto
    .createHmac('sha256', process.env.INFI_WEBHOOK_SECRET)
    .update(payload)
    .digest('hex')
 
  if (
    sigHex.length !== expected.length ||
    !crypto.timingSafeEqual(Buffer.from(sigHex), Buffer.from(expected))
  ) {
    return res.status(401).end()
  }
 
  const event = JSON.parse(req.body.toString('utf8'))
  // Enqueue idempotent processing. Respond fast.
  res.status(200).end()
})
 
app.listen(3000)

import hmac, hashlib, os, time
from flask import Flask, request, abort
 
app = Flask(__name__)
 
@app.post("/webhooks/infi")
def infi_webhook():
    ts = request.headers.get("X-Infi-Timestamp", "")
    sig_header = request.headers.get("X-Infi-Signature", "")
    sig = sig_header[7:] if sig_header.startswith("sha256=") else ""
 
    try:
        ts_num = int(ts)
    except ValueError:
        abort(401)
    if abs(time.time() - ts_num) > 300:
        abort(401)
 
    raw = request.get_data()
    payload = f"{ts}.".encode() + raw
    expected = hmac.new(
        os.environ["INFI_WEBHOOK_SECRET"].encode(),
        payload,
        hashlib.sha256,
    ).hexdigest()
 
    if not hmac.compare_digest(expected, sig):
        abort(401)
 
    event = request.get_json()
    return "", 200

<?php
$ts        = $_SERVER['HTTP_X_INFI_TIMESTAMP']  ?? '';
$sigHeader = $_SERVER['HTTP_X_INFI_SIGNATURE'] ?? '';
$sig       = str_starts_with($sigHeader, 'sha256=') ? substr($sigHeader, 7) : '';
 
if (!ctype_digit($ts) || abs(time() - (int)$ts) > 300) {
  http_response_code(401);
  exit;
}
 
$raw      = file_get_contents('php://input');
$payload  = $ts . '.' . $raw;
$expected = hash_hmac('sha256', $payload, getenv('INFI_WEBHOOK_SECRET'));
 
if (!hash_equals($expected, $sig)) {
  http_response_code(401);
  exit;
}
 
$event = json_decode($raw, true);
http_response_code(200);

Events Retry and idempotency