Webhook of the week - Authorize.Net

I feel that commerce solutions benefit greatly from webhook integrations, so I looked forward to adding an important webhook source for Authorize.Net. They provide excellent support for a variety of events, strong security, and clean API access. Their webhook documentation seemed very complete, but I was in for quite a bit of unexpected work.

I first noticed that the documentation for event types and payloads described many more events than I could see in the dashboard UI for adding a webhook. I was happy to see both the ability to send a test event from the UI and via the API, but I was still left with the challenge of confirming these additional event types.

The real challenge came when implementing verification of the event via the X-ANET-Signature. Their use of HMAC-SHA512 was slightly unusual, but on the surface it appeared to be a typical implementation. When the signature came back as a mismatch, I dug deeper into the documentation.

The first issue wasn’t hard to find even though the documentation didn’t help, since it was easy to see the signature included a sha512= prefix. The second issue was also easy when I saw that the hex signature was in uppercase. The last and hardest problem took a bunch of experimenting to track down. In the end I found it was necessary to strip all whitespace from the payload. This was very unusual, so I hope others benefit from the answer I was able to find.

On a positive note, their offering of basic authentication when doing the POST for the webhook event is always great to see. The inclusion of an event timestamp and unique ID is also very useful in webhook implementations.

Overall they provide an excellent webhook solution. A bit more work on the already thorough documentation would help developers avoid some frustration. I’m always happy to have solved these kinds of webhook problems, so fellow developers can focus on the real work of doing something meaningful with events.