New Features

Webhook HMAC Signature Verification

We’ve added support for HMAC-SHA256 signatures to further secure your webhook integrations. Here’s what’s new:

  • Signed Webhooks: When you provide an auth_token during webhook registration, Method now includes a method-webhook-signature header on each webhook request. This signature is an HMAC-SHA256 digest, computed using your auth_token as the shared secret and the message format ${method-webhook-timestamp}:${raw_payload}.

  • Timestamp Header: Every webhook request now includes a method-webhook-timestamp header (UNIX timestamp in seconds), allowing you to validate the freshness of requests and prevent replay attacks.

  • Verification: You can verify the webhook by recreating the HMAC digest locally and comparing it using a timing-safe equality check.

For more information, please refer to the Webhook API.

Improvements

Connect API

  • Automatic Execution of Account Products and Subscriptions: You can now optionally include products and subscriptions arrays in the request body when creating a Connect for an entity. These will automatically execute upon a successful connection.

  • Expand Query Parameter: A new expand query parameter has been added to the Connect object, allowing you to include additional properties within the accounts object.

For more information, please refer to the Connect API and Expanding Resources.

SDK Updates