Table of Contents

Explore AI Summary

Share post on:

How to Use Sift’s Asynchronous Webhook Notifications Securely

Last year, we launched Formulas and Actions, powerful tools for automating more of your fraud review workflow. Since then, we’ve gotten a lot of…

Press-Release-Tile-Image-Color-Pills_Blue

Sift Workflows and Decisions are powerful tools for automating more of your fraud review processes. We’ve gotten a lot of positive feedback from customers about how Workflows and Decisions are helping them streamline fraud management, as well as some questions about best practices. In this blog post, we’ll share guidelines for the best, most secure way to use Decisions Webhooks to automate tasks that need to be done asynchronously.

As a very first step, you’ll need to set up some Decisions and create Workflows, which will apply those Decisions based on a set of rules that you define. You can read all about how to do that in our Configure Workflows Tutorial.

Already got Workflows and Decisions set up? Great! The next step is to set up Decisions Webhook Signing to validate that notifications are coming from us. Here’s how to get Decisions Webhook Signing running in a few easy steps:

Step 1: Before setting up Decisions Webhooks, you’ll want to enable webhook signing so that you can verify that the notifications are coming from Sift Science. To do so, go to the API Keys Tab of our developer page in the Sift Science console. There you’ll see a section called Signature Keys:

signature keys

Step 2: Click on “New Signature Key”, choose encryption type (by default it will be SHA-256 as newer and more secure than SHA-1), and click “Create Key”: 

Encryption type

Step 3: Now you need to activate the newly created Key. Navigate mouse to hover the “Disabled” button.

Disabled

You will see it turn into an “Enable” button instead. Click it to enable the new Signature Key.

Enable

Pay attention that only one key can be active at a time.

changed enable key

Your new signature key is active! You may only have one active key at a time. Make a note of it, because you’ll use it later in your code base.

Now that you’ve enabled webhook signing on Sift, all webhook notifications generated by our Workflows and Decisions will have a signature in the HTTP header under “X-Sift-Science-Signature”. This signature is calculated by generating an SHA-256 (or SHA-1 if you’ve chosen less secure encryption type) hash of your signature key and the body of the notification.

Step 4: In order to verify that an http notification is coming from Sift Science, create an SHA256 hash of your signature key combined with the body of the notification you received and compare it to the signature value in the HTTP header. It’s that easy! Here’s some sample code to give you an idea of how your webhook verification should operate:

sample code

For additional code examples, check out our webhook authentication documentation. Questions? Contact our support team.

Dare to grow differently.

Flip the switch on fraud-fueled fear. Make risk work for your business and scale securely into new markets with Sift’s AI-powered platform.

see sift in action
  • remitly
  • swan
  • yelp-white
  • taptap
  • remitly
  • swan
  • yelp-white
  • taptap