Configuration and Security

Request Verification

Two types of request verification are supported: basic auth and request signature.

Basic HTTP Authentication

You can configure a webhook endpoint with basic HTTP Authentication which is then Base64 encoded and sent along with each webhook request in the Authentication header.

Checking Webhook Signature

The daisybill-signature header included with each request can be used to alternatively sign webhook events. This allows you to verify that events were sent by daisyBill. daisyBill generates signatures using HMAC with SHA-256.

To compute the expected signature, compute an HMAC with the SHA-256 hash function. Use the webhook endpoint's signing secret (found on the endpoint's configuration page) and the request payload as the message.

The computed signature should match the signature in the header.

IP Allowlisting

If you're behind a firewall, below are the list of IPs for every webhook sent by daisyBill:

  • 3.225.70.74
  • 18.215.68.132
  • 3.224.141.187
  • 3.225.85.153