C# Checking HMAC SHA256 from API

Question

I'm trying to validate a hmac sha256 key that an API sends to me in a header. I don't fully understand how to validate this, can anoyone point me in the right direction?

From the API reference:

Every central webhook POST contains a header field "X-Signature-SHA256" with the signature value of the signed body's payload. The JSON body is signed with the HMAC SHA256 algorithm based on RFC2104, with the "Client Secret" as the signing key.

The following awnser is pretty clear & helpfull: https://stackoverflow.com/a/12253723/4179234

However I feel like I'm missing a string/message that I need to encrypt to get the same hmac sha256 key, as I only have the api client secret to use as a key for the hasing but no message.

Following part is taken from the above stackoverlow awnser, so I convert the api client secret to byte[] and use it for the first input var. But what should message be then in this case?

   private static byte[] HashHMAC(byte[] key, byte[] message)
        {
            var hash = new HMACSHA256(key);
            return hash.ComputeHash(message);
        }

According to the description, I would say the JSON body is the message. — Topaco, Jun 10 '22 at 10:30
That's it thank you! (Had to trim all whitespaces from the JSON string for it to work) — Rick, Jun 10 '22 at 11:34

C# Checking HMAC SHA256 from API

0 Answers0