New Features

Webhook HMAC Signature Verification

We’ve added support for HMAC-SHA256 signatures to further secure your webhook integrations. Here’s what’s new:
  • Signed Webhooks: When you provide an hmac_secret during webhook registration, Method now includes a method-webhook-signature header on each webhook request. This signature is an HMAC-SHA256 digest, computed using your hmac_secret as the shared secret and the message format ${method-webhook-timestamp}:${raw_payload}.
  • Timestamp Header: Every webhook request now includes a method-webhook-timestamp header (UNIX timestamp in seconds), allowing you to validate the freshness of requests and prevent replay attacks.
  • Verification: You can verify the webhook by recreating the HMAC digest locally and comparing it using a timing-safe equality check.
For more information, please refer to the Webhook API.

Improvements

Connect API

  • Automatic Execution of Account Products and Subscriptions: You can now optionally include products and subscriptions arrays in the request body when creating a Connect for an entity. These will automatically execute upon a successful connection.
  • Expand Query Parameter: A new expand query parameter has been added to the Connect object, allowing you to include additional properties within the accounts object. 
const connect = await method
    .entities('ent_TYHMaRJUUeJ7U')
    .connect
    .create(
        {
            products: ['attribute', 'card_brand'],
            subscriptions: ['card_brand', 'transaction'],
        }, 
        {
            expand: ['accounts.update']
        }
    );
For more information, please refer to the Connect API and Expanding Resources.

SDK Updates