New Features
Webhook HMAC Signature Verification
We’ve added support for HMAC-SHA256 signatures to further secure your webhook integrations. Here’s what’s new:-
Signed Webhooks: When you provide an
hmac_secret
during webhook registration, Method now includes amethod-webhook-signature
header on each webhook request. This signature is an HMAC-SHA256 digest, computed using yourhmac_secret
as the shared secret and the message format${method-webhook-timestamp}:${raw_payload}
. -
Timestamp Header: Every webhook request now includes a
method-webhook-timestamp
header (UNIX timestamp in seconds), allowing you to validate the freshness of requests and prevent replay attacks. - Verification: You can verify the webhook by recreating the HMAC digest locally and comparing it using a timing-safe equality check.
Improvements
Connect API
-
Automatic Execution of Account Products and Subscriptions: You can now optionally include
products
andsubscriptions
arrays in the request body when creating aConnect
for an entity. These will automatically execute upon a successful connection. -
Expand Query Parameter: A new
expand
query parameter has been added to theConnect
object, allowing you to include additional properties within theaccounts
object.
Example Request
Example Request
SDK Updates
- Released version 1.2.4 of
method-node
- Released version 1.2.4 of
method-python