Example Webhook Implementation

This page describes how to implement your own webhook endpoint to receive document transmission status updates from Marmin.

Marmin will send HTTP POST requests to your configured webhook URL when document transmission status changes occur. You can implement this endpoint at any URL of your choice – this is just an example implementation.

Webhook Security and Verification

All webhook requests are secured using HMAC-SHA256 signature verification. You must verify the signature to ensure the request is authentic and has not been tampered with.

How Webhook Verification Works

1. Signature Generation: Marmin generates an HMAC-SHA256 signature using:

   - Payload: The JSON request body (raw, before parsing).

   - Secret Key: Your webhook signing secret.

   - Algorithm: HMAC-SHA256.

   - Encoding: Base64.

2. Signature Transmission: The signature is sent in the x-marmin-signature header.

3. Verification: Your endpoint should:

   - Extract the raw request body (before JSON parsing).

   - Compute HMAC-SHA256 using your webhook signing secret.

   - Compare the computed signature with the x-marmin-signature header.

   - Reject the request if signatures do not match.