Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bitgpt.xyz/llms.txt

Use this file to discover all available pages before exploring further.

To ensure the authenticity of a webhook, we sign each request with your webhook secret and places the signature in the X-Webhook-Signature header. This enables your server to confirm that the payload has not been altered and originates from a trusted source.

Create a Webhook endpoint

The webhook secret is unique to each organization-webhook endpoint pair. You get a webhook secret after creating a webhook endpoint.

Signature validation snippets

Webhook.php
/**
 * @param array<string, string> $headers  // Incoming HTTP headers
 * @param string                $rawBody  // Raw JSON request body
 * @param string                $secret   // Shared secret key
 * @return bool                           // Whether the signature is valid
 */
function validate_webhook(array $headers, string $rawBody, string $secret): bool {
  $receivedSignature = $headers['X-Webhook-Signature'] ?? '';
  $timestamp = $headers['X-Webhook-Timestamp'] ?? '';

  $body = json_decode($rawBody, true);

  $webhookPayload = [
    "webhook_id" => $body["webhook_id"],
    "url" => $body["url"],
    "event" => $body["event"],
    "resource_id" => $body["resource_id"],
    "payload" => $body["payload"],
    "timestamp" => $timestamp
  ];

  $expectedSignature = hash_hmac(
    'sha256',
    json_encode($webhookPayload, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE),
    $secret
  );

  return hash_equals($expectedSignature, $receivedSignature);
}