Validate an incoming webhook

ShopiMind signs its webhooks. The SDK provides SpmRequestValidator to verify the authenticity of an incoming request (HMAC signature) before processing it.

const { SpmRequestValidator } = require('@shopimind/sdk-shopimind');

const validation = SpmRequestValidator.validateRequest({
  clientId: req.headers['shopimind-client-identifiant'],
  hmacToken: req.headers['shopimind-token'],
  body: req.body,
  apiIdentification: config.apiIdentification,
  apiPassword: config.apiPassword,
});

if (!validation.valid) {
  return res.status(401).json({ error: validation.error });
}

// The request is authentic — process the payload with confidence

Full Express example

const express = require('express');
const { SpmRequestValidator } = require('@shopimind/sdk-shopimind');

const app = express();
app.use(express.json());

app.post('/webhooks/shopimind', (req, res) => {
  const validation = SpmRequestValidator.validateRequest({
    clientId: req.headers['shopimind-client-identifiant'],
    hmacToken: req.headers['shopimind-token'],
    body: req.body,
    apiIdentification: process.env.SPM_API_IDENTIFICATION,
    apiPassword: process.env.SPM_API_PASSWORD,
  });

  if (!validation.valid) {
    return res.status(401).json({ error: validation.error });
  }

  // … your business logic
  res.status(200).json({ received: true });
});

Verify before processing

Always validate the signature before acting on the contents of a webhook. An unsigned or incorrectly signed request must be rejected with a 401.

Raw body

Depending on your framework, make sure the body passed to the validator exactly matches the payload received (same keys, same content) so that the HMAC computation matches.