Sift Workflows and Decisions are powerful tools for automating more of your fraud review processes. We’ve gotten a lot of positive feedback from customers about how Workflows and Decisions are helping them streamline fraud management, as well as some questions about best practices. In this blog post, we’ll share guidelines for the best, most secure way to use Decisions Webhooks to automate tasks that need to be done asynchronously.
As a very first step, you’ll need to set up some Decisions and create Workflows, which will apply those Decisions based on a set of rules that you define. You can read all about how to do that in our Configure Workflows Tutorial.
Already got Workflows and Decisions set up? Great! The next step is to set up Decisions Webhook Signing to validate that notifications are coming from us. Here’s how to get Decisions Webhook Signing running in a few easy steps:
Step 1: Before setting up Decisions Webhooks, you’ll want to enable webhook signing so that you can verify that the notifications are coming from Sift Science. To do so, go to the API Keys Tab of our developer page in the Sift Science console. There you’ll see a section called Signature Keys:
Step 2: Click on “New Signature Key”, choose encryption type (by default it will be SHA-256 as newer and more secure than SHA-1), and click “Create Key”:
Step 3: Now you need to activate the newly created Key. Navigate mouse to hover the “Disabled” button.
You will see it turn into an “Enable” button instead. Click it to enable the new Signature Key.
Pay attention that only one key can be active at a time.
Your new signature key is active! You may only have one active key at a time. Make a note of it, because you’ll use it later in your code base.
Now that you’ve enabled webhook signing on Sift, all webhook notifications generated by our Workflows and Decisions will have a signature in the HTTP header under “X-Sift-Science-Signature”. This signature is calculated by generating an SHA-256 (or SHA-1 if you’ve chosen less secure encryption type) hash of your signature key and the body of the notification.
Step 4: In order to verify that an http notification is coming from Sift Science, create an SHA256 hash of your signature key combined with the body of the notification you received and compare it to the signature value in the HTTP header. It’s that easy! Here’s some sample code to give you an idea of how your webhook verification should operate:
For additional code examples, check out our webhook authentication documentation. Questions? Contact our support team.