The messages are sent as a POST to the URL defined in the settings of your Lago workspace.

Message format

POST __WEBHOOK_URL__

{
  "webhook_type": "__TYPE__",
  "object_type": "OBJECT_TYPE",
  "__OBJECT__": {}
}

Signature

Allong with the payload the message contains both X-Lago-Signature and X-Lago-Signature-Algorithm HTTP header.

It is used to ensure the message is Coming from Lago and that the message has not been altered.

To verify the signature, you must decode the signature and compare the result with the body of the webhook.

You can choose between 2 differents signatures algorithm during your webhook endpoints creation, hmac or jwt. Please note that jwt is our original signature and is used by default.

JWT Signature

1. Retrieve the public key


You should persist the public key on your side to avoid querying it for each webhook.

2. Decode and validate the signature

HMAC Signature

Decode and validate the signature