This article covers how to view important information about a webhook, including the webhook’s status, HMAC signature secret, verifying a webhook, and delivery history. This information is useful for both training and troubleshooting! Note: Managing Webhooks is done via Console, check out Who Can Set up Webhooks? to learn more. 

Webhook Status 

1. In the Settings section of Console, select Webhooks. 
2. Each webhook’s status (enabled or disabled) will appear in the listing here. This listing also includes each webhook’s name, ID, and trigger event type. 
   

HMAC Secret

Each webhook delivery is signed with a hash-based message authentication code (HMAC) that you can use to verify the delivery’s authenticity. This HMAC signature is included in the headers of the webhook. After you create a webhook, BenchPrep automatically generates a shared secret that Console admins or users with the “Read webhooks” permission  can view in Console.

1. In the Settings section of Console, select Webhooks.
2. Select the webhook you’d like to work with. 
3. The Overview tab on the next page will display a censored version of the secret. To view the exact signature, select Show. 
   
4. Select Hide after viewing the signature. 

Verifying a Webhook

Each webhook delivery is signed with a hash-based message authentication code (HMAC) that you can use to verify the delivery’s authenticity. The HMAC signature is included in the headers of the webhook. 

If a webhook has a valid HMAC signature, then the webhook is valid. You can verify the HMAC signature (and thus the webhook’s authenticity) by following these steps: 

1. Retrieve three data points from the webhook delivery: 
   1. HMAC signature: This is included in the webhook’s `X-BP-HMAC` HTTP header, shown in the table below. 
   2. Digest algorithm: The digest algorithm is the algorithm used to generate the HMAC. This is included in the webhook’s `X-BP-HMAC-ALGORITHM` HTTP header. BenchPrep currently only supports sha256.
   3. Body: The body is the raw data included in the webhook delivery, and it’s the data that you’ll authenticate. The body includes a timestamp of when this webhook delivery occurred. The HMAC signature signs the body, and each webhook delivery will have a unique signature.
2. Re-sign the HTTP body with the shared secret and verify that the HMAC signature matches the value provided in the header. Below is an example Python Flask application to show what this step looks like when performed successfully.  
   

Delivery History

1. In the Settings section of Console, select Webhooks.
2. Select the webhook you’d like to work with. 
3. On the next page, select the Delivery Log tab. 
   
4. The Delivery Log page shows the following information for each delivery attempted within the past 30 days: 
   1. Delivery ID
   2. Event ID: The ID of the event that triggered the webhook. 
   3. Type: “Test” (if this was a test delivery) or “Real” (if this was a user completing a genuine trigger event).
   4. Attempt: If a delivery fails, the webhook will automatically attempt to send the delivery again up to 16 times. This column shows which attempt this delivery was. 
   5. Time Stamp: The exact time (In UTC) when the delivery occurred. 
   6. Status: Whether or not the delivery was successful. “200” indicates a successful delivery; all other numbers indicate an unsuccessful attempt. 
   7. Action: This column provides the opportunity to re-attempt the delivery via the “Try Resend” link. This link will be available if a delivery has either exceeded its max retry count or been completed successfully.