Validating events
Protect your webhook-endpoint by validating incoming events.
Signature
Validate signature in order to ensure authenticity.
Timestamp
Validate the timestamp in order to protect against replay attacks.
Deduplication
Check for duplicates.
Lucca-Signature
and
the Lucca-Timestamp
HTTP headers and return a 401 Unauthorized
.Lucca-Signature
Each event delivery is signed by the server in order for webhook endpoints to be able to check their authenticity.
The signature is a SHA256 hash calculated from the concatenation of both the delivery
timestamp (i.e. the moment the event was sent from our server) and the request payload,
separated by a .
(dot) character. Both properties can be found in HTTP headers:
- the signature is in the
Lucca-Signature
HTTP header ; - the timestamp is in the
Lucca-Timestamp
HTTP header.
If the signature is missing (i.e. no Lucca-Signature
header was sent) or does not match,
then return a 401 Unauthorized
.
Lucca-Timestamp
The timestamp sent in the Lucca-Timestamp
HTTP header matches the exact time the request
was sent from Lucca’s servers. It is an UTC date-time in ISO 8601 format, e.g.: “2025-01-01T08:34:23Z”.
You should check the timestamp is within +/- 5 minutes from the moment your receive the event, in order to protect yourself against replay attacks.
If the timestamp is too old / too far in the future, or is simply missing, then return a
401 Unauthorized
.
Handling Duplicates
You may want to check for duplicate events (and potentially discard them), as you may receive an event more than once through our retry feature.