Security
Security
Section titled “Security”Webhook endpoints receive system-changing events, so your endpoint should verify that each request is from Jodo before processing it.
Jodo supports multiple validation approaches. You can use one or combine them depending on your security requirements.
Custom Header
Section titled “Custom Header”Your ERP system can share a custom header name and value with Jodo. Jodo sends that header with webhook requests for the configured event subscription.
Your endpoint should reject requests where the header is missing or does not match the expected value.
IP Address Allowlisting
Section titled “IP Address Allowlisting”You can restrict webhook traffic to known Jodo source IPs.
3.108.86.3313.127.40.17765.0.77.215
Production
Section titled “Production”3.6.234.2423.111.80.4013.232.24.17543.204.202.190
Signature Verification
Section titled “Signature Verification”For stronger request validation, configure a shared secret. Jodo can use the secret to send a signature in the X-Jodo-Signature request header.
To verify the request:
- Read the raw request body.
- Generate an HMAC SHA-256 signature using the shared secret and raw body.
- Compare your generated signature with
X-Jodo-Signature. - Process the request only when the signatures match.
import hashlibimport hmac
secret_key = b"my-secret-key"payload = request.datareceived_signature = request.headers.get("X-Jodo-Signature")
expected_signature = hmac.new( secret_key, payload, hashlib.sha256,).hexdigest()
if hmac.compare_digest(expected_signature, received_signature or ""): print("Request from Jodo")else: print("Invalid webhook signature")Use constant-time comparison, such as hmac.compare_digest, to avoid timing-based comparison leaks.
Recommended Setup
Section titled “Recommended Setup”For production integrations, use signature verification and IP allowlisting together where possible. Custom headers are useful as an additional guard, but should not be the only validation mechanism for sensitive workflows.