The messages are sent as a POST to the URL defined in the settings of your Lago workspace.

Message format

POST __WEBHOOK_URL__

{
  "webhook_type": "__TYPE__",
  "object_type": "OBJECT_TYPE",
  "__OBJECT__": {}
}

Signature

Allong with the payload the message contains both X-Lago-Signature and X-Lago-Signature-Algorithm HTTP header.

It is used to ensure the message is Coming from Lago and that the message has not been altered.

To verify the signature, you must decode the signature and compare the result with the body of the webhook.

You can choose between 2 differents signatures algorithm during your webhook endpoints creation, hmac or jwt. Please note that jwt is our original signature and is used by default.

JWT Signature

1. Retrieve the public key

from lago_python_client import Client

client = Client(api_key='__YOUR_API_KEY__')
webhooks_public_key = client.webhooks().public_key()

You should persist the public key on your side to avoid querying it for each webhook.

2. Decode and validate the signature

import jwt

decoded_signature = jwt.decode(
  request.headers.get('X-Lago-Signature'),
  webhooks_public_key,
  algorithms=['RS256'],
  issuer="https://api.getlago.com"
)

decoded_signature['data'] == request.body

HMAC Signature

Decode and validate the signature

import hmac
import hashlib
import base64

encoded_body = hmac.new(
  str(YOUR_ORGANIZATION_API_KEY),
  msg=request.body,
  digestmod=hashlib.sha256
).hexdigest().upper()
encoded_body_bytes = encoded_body.encode("ascii")
base64_encoded_body = base64.b64encode(encoded_body_bytes)
base64_encoded_body_string = base64_bytes.decode("ascii")

request.headers.get('X-Lago-Signature') == base64_encoded_body_string