The messages are sent as a POST to the URL defined in the settings of your Lago workspace. If you return an error (other than a 2xx’s HTTP response) or if there is a network issue, the webhook will be sent again. Lago will try to send the webhook 3 times.

Message format

POST __WEBHOOK_URL__ 
{
  "webhook_type": "__TYPE__",
  "object_type": "OBJECT_TYPE",
  "__OBJECT__": {}
}

Unique Key

Lago sends an idempotency key (unique identifier) in the HTTP headers named X-Lago-Unique-Key. This key can be used to ensure you process a webhook only once.

Signature

Allong with the payload the message contains both X-Lago-Signature and X-Lago-Signature-Algorithm HTTP header. It is used to ensure the message is Coming from Lago and that the message has not been altered. To verify the signature, you must decode the signature and compare the result with the body of the webhook. You can choose between 2 differents signatures algorithm during your webhook endpoints creation, hmac or jwt. Please note that jwt is our original signature and is used by default.

JWT Signature

1. Retrieve the public key

from lago_python_client import Client

client = Client(api_key='__YOUR_API_KEY__')
webhooks_public_key = client.webhooks().public_key()

You should persist the public key on your side to avoid querying it for each webhook.

2. Decode and validate the signature

import jwt

decoded_signature = jwt.decode(
  request.headers.get('X-Lago-Signature'),
  webhooks_public_key,
  algorithms=['RS256'],
  issuer="https://api.getlago.com"
)

decoded_signature['data'] == request.body

HMAC Signature

Decode and validate the signature

import hmac
import base64

calc_sig = hmac.new(LAGO_HMAC_KEY, request.body.encode(), 'sha256').digest()
base64_sig = base64.b64encode(calc_sig).decode()
request.headers.get('X-Lago-Signature') == base64_sig