Developer Documentation
Everything you need to integrate with the FundraiserMax API. Build custom workflows, sync donor data, and connect AI assistants to your fundraising platform.
Signature Verification
Every webhook request includes an X-FundraiserMax-Signature header containing an HMAC-SHA256 signature of the request body. You should verify this signature to ensure the payload was sent by FundraiserMax and has not been tampered with.
Verification Steps
- Extract the
X-FundraiserMax-Signatureheader value from the incoming request. - Compute the HMAC-SHA256 hash of the raw request body using your webhook signing secret as the key.
- Compare the computed hash with the signature from the header. If they match, the payload is authentic.
Verification Example
# Compute HMAC-SHA256 signature and compare
PAYLOAD='{"id":"whevt_abc123","type":"contact.created"}'
SECRET="your_webhook_signing_secret"
EXPECTED_SIG=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "$SECRET" | awk '{print $2}')
echo "Computed signature: $EXPECTED_SIG"
# Compare with X-FundraiserMax-Signature header value
# If they match, the payload is authenticImportant: Always use a constant-time comparison function (e.g.,
crypto.timingSafeEqual in Node.js or hmac.compare_digest in Python) to prevent timing attacks.