Requirements for processing notifications
To receive notifications, ensure that the URL of your endpoint is publicly accessible. Once your application receives notifications, it must perform at least the following steps:
1. Validate the integrity of an event
Twelve Labs includes a unique header named TL-Signature
in each POST
request. The header is composed of the following parts:
t
: A Unix timestamp representing the time when the platform has sent the notificationv1
: A signature generated uniquely for each webhook event, usingHMAC
withSHA-256
To validate the signature and verify that the event was sent by Twelve Labs:
-
The platform uses a secret key to sign each
POST
request. You must retrieve it from the Webhooks page by following the steps in the Retrieve your secret key section and then store it in your application. -
Extract the
t
andv1
fields. Split theTL-Signature
header, using the comma (,
) character as a separator. -
Generate a signed payload. Concatenate the timestamp retrieved from the header and the raw request body, using the dot (
.
) character as a separator.Note that you must use the raw request body. Do not parse the request body or else the validation will fail.
Example:timestampFromHeader = "1659342128" body = '{"name":"test"}' signedPayload = timestampFromHeader + "." + body //1659342128.{"name":"test"}
-
Create a
HmacSha256
signature using the secret key you've retrieved from the Dashboard page for theHMAC
key and the signed payload as payload.The following example shows how you can generate a signature in Go:
func generateHmacSha256Signature(secret, payload string) string { h := hmac.New(sha256.New, []byte(secret)) h.Write([]byte(payload)) return hex.EncodeToString(h.Sum(nil)) }
-
Compare the signature computed in the previous step with the signature provided in the header. If the signatures match, it means that Twelve Labs is the sender of the notification.
-
(Optional) As an additional security measure, you can also compare the timestamp received in the
t
field to the current time. Twelve Labs suggest you consider valid all the requests for which the time difference is less than five minutes.
2. Respond with a 2xx status code
Your webhook must return a 2xx
status code for each notification it receives from the platform, indicating successful delivery of the notification. The platform will treat a different response code as a failure, and the status will show as Failed
.
Updated 5 months ago