Verify Requests Received from Wix

When you receive a data payload from Wix, it includes a header called digest. The header holds a JSON Web Token (JWT) with the signed data.

Before using the data you've received, you should:

  • Verify the JWT's signature to confirm that the data was sent by Wix.
  • Verify the integrity of the data (for encrypted payloads only – not webhooks).

Here's a sample JWT:

Copy

Step 1 | Verify that the data came from Wix

To verify that the data came from Wix:

  1. Select your app from the Custom Apps page in your Wix Studio Workspace.

  2. In the side menu, click Webhooks.

  3. Click Get Public Key.

  4. Use the public key to decode the JWT.

Here's what the data looks like once its been decoded and verified with your public key:

Note: View a sample decoded JWT in the JWT debugger.

Step 2 | Verify the integrity of the data

In some cases, the payload data will be encrypted as a security precaution. If the data is encrypted, it's crucial to ensure its integrity and confirm that it hasn't been altered during transit.

Note: Webhook payloads are not encrypted.

The encrypted payload data includes an object with a hash of the payload data, and the hash type as its key. For example: 

Copy

To verify the integrity of the data:

  1. Take the encrypted body data you received and hash it using the same hashing algorithm listed in the data object. In our example: 

    • Hash type: SHA256
    • Body data: {"mydata":"is secured"}
  2. Compare the new hash with the hash listed in the data object. For example: Sha256({"mydata":"is secured"}) yields 3fd05dfe429837da86cbc710190c9a67296203bbd4bd3160ab0ff07b659b0160.

Did this help?