Transit Security

Whitelist IP Addresses

All endpoints are strongly encouraged to use HTTPS, as this protects the payload in transit. Mondu sends the hooks from the IPs below, so make sure they are whitelisted in your organization’s infrastructure:

Sandbox: 3.67.101.172, 3.69.55.142, 3.72.30.70
Production: 3.68.36.187, 3.127.195.5, 18.194.230.169

Compare Signature

To verify that a webhook was actually sent by Mondu, every payload is signed with a signature that is passed through as the HTTP header x-mondu-signature. The signature is Hex encoded and can be replicated by applying HMAC-SHA-256 to the body of the webhook with your specific webhooks’ secret, which can be requested via API.

After receiving the message, your app should verify the HMAC signature by attempting to re-create the signatures by hashing the raw message body with the webhooks’ HMAC secret.
To verify the signature:

Extract the text of the UTF-8 payload as an array of bytes (including line endings)
Compute a SHA256 HMAC digest for the array of bytes with the secret (retrieved from the secret webhooks’ endpoint GET /webhooks/keys)
Base64-encode each of the digests
Compare the base64 digest(s) to the values of the x-mondu-signature headers

The code example below demonstrates the process of implementing this message authenticity check:

const crypto = require('crypto')
module.exports = class MonduVerifier {
    constructor(secret) {
        this.secret = secret
    }

    verify(payload, signature) {
        var signaturePayload = crypto
            .createHmac('sha256', secret)
            .update(payload)
            .digest('hex')

        if (signaturePayload == signature) {
            return true
        } else {
            return false
        }
    }
}

var MonduVerifier = require('./mondu_verifier.js')
var verifier = new MonduVerifier(secret)
verifier.verify(payload, signature)