+ Start a Discussion
Baz DensonBaz Denson 

Authenticating a POST into SF rest webservice endpoint

I am trying to get GoCardless Webhooks to work. They were working in sandbox but can't seem to get them to work in production. From looking at it I need to get an authentication token but I'm sure I didn't have to do this before.

This is the API Reference entry from GoCardless, can anyone give me any pointer please?

Webhooks notify you of new events in your GoCardless account (e.g., when the bank informs us that one of your payments has failed).
You can enable webhooks by creating a Webhook Endpoint in your GoCardless dashboard.
When an event occurs to a mandate or payment in your GoCardless account, a webhook will be sent to every enabled webhook endpoint as a POST request, which contains a list of events.
There are a few other things to note when using webhooks:
Webhooks may arrive out of order.
Webhooks may contain multiple events. These events need not have anything in common (i.e., they may be for different actions and resources).
When deciding what actions to take in response to Webhook events, we recommend you switch on the details[cause] field. Other fields such as details[reason_code], are payment scheme-specific and can be inconsistent between banks, whereas the details[cause] field is our simplified and predictable key indicating what triggered the event.
Webhooks with an invalid signature must return a 498 Token Invalid error.
Webhooks about unknown events should be ignored, and return 204 No Content. GoCardless may add new events to the API without considering this a backwards incompatible change.
You must use SSL/TLS for webhook URLs. Unsecured webhook URLs are only allowed in the sandbox environment.
Webhooks include an Origin header indicating what GoCardless environment they were sent from. This will be https://api.gocardless.com for
live, and https://api-sandbox.gocardless.com for sandbox.
All the webhooks you’ve ever been sent are viewable in your GoCardless dashboard in the “Developers” area.


Your webhook handler should return a response with a 2xx status code, e.g. 200 OK, or 204 No Content. If the webhook signature is invalid, you should return a 498 Invalid Token


In the
event we fail to deliver the webhook, or you respond with a non 2xx status code, we will attempt to resend the webhook up to 10 times at increasing time intervals.
You can view webhooks we’ve sent you in your GoCardless dashboard, and can retry them if required.


We send webhooks from the following IP addresses which you may wish to whitelist in your firewall:
We will provide advance notification by email at least two weeks before we make any changes to these addresses.
You can set the email we will contact you at from your Dashboard - simply click “Settings” in the top-right hand corner, then “Contact preferences”, and then edit your developer contact.


We sign the body of the POST request with an HMAC SHA256 hex digest, using the secret of the webhook endpoint for which this webhook is being sent. This is done using an additional header:
The HMAC SHA256 hex digest of the request body.
You must check that the webhook has a valid signature before processing it. Here’s how you could do that in Ruby:
# request_signature - the signature sent in Webhook-Signature
# request_body - the JSON body of the webhook request
# secret - the secret for the webhook endpoint require "openssl" digest = OpenSSL::Digest.new("sha256") calculated_signature = OpenSSL::HMAC.hexdigest(digest, secret, request_body) if calculated_signature == request_signature
# Signature ok! else
# Invalid signature. Ignore the webhook and return 498 Token Invalid end