This page covers the verification step when first setting up a webhook on Dashboard. Please see our payload verification section for information on how to verify webhook payloads from vehicles.

When you first set up a webhook in the Smartcar Dashboard, Smartcar will post a challenge request to ensure we’re sending payloads to the correct place. This is a one time event and will be in the following format:

verificationRequest.body
    {
        "version": "2.0",
        "webhookId": "<uuid>",
        "eventName": "verify",
        "payload": { "challenge": "<random-string>" }
    }

Upon receiving the request, your server will need respond to the challenge by hashing payload.challenge with your application_management_token to create a SHA-256 based HMAC.

Our backend SDKs have helper methods to generate the HMAC.

    hmac = smartcar.hash_challenge(
            application_management_token, 
            payload.challenge
        )

Return the hex-encoded hash as the value for challenge in your response body with a 200 status code, and the Content-Type header set to application/json.

verificationResponse.body
{
  "challenge" : "{HMAC}"
}