Verify Requests Received from Wix

When you receive a data payload from Wix, it includes a header called 'digest' – the header holds a JSON web token (JWT) with the signed data. Not familiar with JSON web tokens? Learn more about JWT before continuing. Before using the data you've received, you should:

  1. Verify the JWT's signature to confirm that the data was sent by Wix.
  2. Verify that the encrypted data was not tampered with (for encrypted payloads only – not webhooks).

Here's a sample JWT:


Verify that the data came from Wix

Use your app's public key to verify that the data was sent by Wix. You can find your app's public key in the Wix Developers Center under Webhooks in the side menu (under Build Your App). Keep in mind that you need to have at least one webhook in order to see your public key. Here's what the data looks like once its been decoded and verified with your public key:

Note: View a sample decoded JWT in the JWT debugger.

Verify that encrypted data hasn't been tampered with

In some cases, the payload data will be encrypted as a security precaution. If the data is encrypted, in addition to verifying that the data came from Wix, you should also verify that it wasn't tampered with in transit.

Note: Webhook payloads are not encrypted.

The encrypted payload data includes an object with a hash of the payload data, and the hash type as its key. Here's an example: 

"SHA256": "3fd05dfe429837da86cbc710190c9a67296203bbd4bd3160ab0ff07b659b0160"
  1. Take the encrypted body data you received and hash it using the same hashing algorithm listed in the data object. In our example: 
  • Hash type: SHA256
  • Body data: {"mydata":"is secured"}

2. Compare the new hash with the hash listed in the data object.

Sha256({"mydata":"is secured"}) yields: 3fd05dfe429837da86cbc710190c9a67296203bbd4bd3160ab0ff07b659b0160

Was this helpful?