Webhooks

Security & Verification

// to-do: Describe in further detail

Signature Header

Each payload sent by the API is signed using HMAC-SHA256 over the raw JSON body. The signature is included in the request header:

Code
 
X-API-Signature: sha256=<hex>

Signature Validation

To validate the signature, follow these steps:

Extract the raw body of the incoming request.
Retrieve the X-API-Signature header value.
Recalculate the HMAC-SHA256 using your configured secret.
Compare the values using a constant-time comparison to prevent timing attacks.

Verification Examples

Code
 
const crypto = require('crypto');

function verifyWebhookSignature(payload, signature, secret) {
  const expectedSignature = signature.replace('sha256=', '');
  const hmac = crypto.createHmac('sha256', secret);
  hmac.update(payload, 'utf8');
  const calculatedSignature = hmac.digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(expectedSignature, 'hex'),
    Buffer.from(calculatedSignature, 'hex')
  );
}

Code
 
import hashlib, hmac

def verify_webhook_signature(payload, signature, secret):
    expected_signature = signature.replace('sha256=', '')
    calculated_signature = hmac.new(secret.encode('utf-8'), payload, hashlib.sha256).hexdigest()
    return hmac.compare_digest(expected_signature, calculated_signature)

Last modified on March 24, 2026

System Events Delivery & Retries