Because of the way webhooks work, attackers can impersonate services by simply sending a fake webhook to an endpoint. Think about it: it's just an HTTP POST from an unknown source. This is a potential security hole for many applications, or at the very least, a source of problems.

In order to prevent it, HotMic signs every webhook and its metadata with a unique key for each endpoint. This signature can then be used to verify the webhook indeed comes from HotMic, and only process it if it is.

Another potential security hole is what's called replay attacks. A 

 is when an attacker intercepts a valid payload (including the signature), and re-transmits it to your endpoint. This payload will pass signature validation, and will therefore be acted upon.

To mitigate this attack, HotMic includes a timestamp for when the webhook attempt occurred. Our libraries automatically reject webhooks with a timestamp that are more than five minutes away (past or future) from the current time. This requires your server's clock to be synchronised and accurate, and it's recommended that you use 

For more information about how to verify, review this documentation from our partner: 

Replaying Messages

Verifying Webhooks

Social Features

HotMic Docs

Org Set Up

Creator Onboarding

Stream Creation

Dashboard

Introduction

Creator Audio and Video

Uploaded Video

2nd Screen TV Sync

CMS Content

Media Integration

Chat

Polls, Points, & Leaderboards

Guest Call-In

Moderator tools

Picture-In-Picture

Streams

Tipping or In-App purchases

Paywalls

Products (Live Shopping)

Monetization

API Recent Changelog

Using Your Own Player (Android)

 Android SDK

Using Your Own Player (iOS)

iOS SDK

Javascript SDK

Custom Themes

SDK Analytics

Single Sign-On (SSO) (BETA)

Adding Endpoints

Webhook Logs 

Webhooks

Integrations & SDKs

Custom Fields & Tags

Recordings & Content Management

Changelog (2023)

Changelog

Usage Limits & Recommendations