Webhook hmac signing

[iWader]

It's common for webhooks to include a hmac signature so recipients can verify the payload has come from the expected source and hasn't been tampered with.

1. A shared secret (random string) should be sent with the POST /transaction/:uuid/subscribe request
2. For each webhook delivered a signature should be computed using the payload of the webhook (Usually this would be done using hmac sha256 or similar)
3. The signature generated should be sent in a header when delivering the webhook (e.g X-PDTF-Signature)
4. The recipient endpoint should then compute their own signature using the received payload and compare against the X-PDTF-Signature header
5. If the signatures match the webhook should continue to be processed. If there is a mismatch the webhook should be rejected with a 4XX http status

[edmolyneux]

Thanks for the feedback @iWader - we'll be gathering to review the API as part of our transition to a Verifiable Credentials model in a few weeks. Can you drop a note to Maria Harris digitalcatconsultancy@gmail.com to join our slack conversation, if you're able to contribute?