Dashbot Secret Key

If a secret key is provided, Dashbot will use this key to sign calls from Dashbot using HMAC with sha1.

An extra header will appear called x-dashbot-signature. This header will contain a signature that may be used to verify the request came from Dashbot in an unaltered state.

Specifically, the webhook calls that will be signed are the Pause URL and Send Message URL (used for both Live Person Takeover and Broadcast Messages).

Validating Payloads from Dashbot

Once your Dashbot secret key is set, each POST to your Pause URL and Send Message URL will be passed along with a hash signature.

Here is an example of how you might validate the Dashbot Header using nodeJS (using the req object from express, and the crypto package):

var dashbotSignature = req.header("x-dashbot-signature");
var crypto = require("crypto");
var textToVerify = JSON.stringify(req.body);
var secret = "nomoresecrets"; // it is best to store this as an ENV variable
var algorithm = "sha1";
var hash, hmac;
hmac = crypto.createHmac(algorithm, secret);
hash = "sha1=" + hmac.digest("hex");
if (hash === dashbotSignature) {
console.log("Dashbot Signature VERIFIED");
} else {
console.warn("Dashbot Signature INVALID");