API Insights
Back to all articles
New Releases

Security Update: Webhook Signature Verification

Protecting your data is our top priority. We've added webhook signature verification to ensure the integrity and authenticity of webhook events.

How it works Each webhook request will contain a `X-Signature` header. This signature is a HMAC-SHA256 hash of the request payload, computed using your webhook's secret key.

Verifying the signature Here's an example of how to verify the signature in a Node.js application:

javascript
const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const hmac = crypto.createHmac('sha256', secret);
  const digest = 'sha256=' + hmac.update(JSON.stringify(payload)).digest('hex');

  if (!crypto.timingSafeEqual(Buffer.from(digest), Buffer.from(signature))) {
    throw new Error('Invalid signature.');
  }
  
  console.log('Signature is valid!');
  return true;
}

// Example usage in an Express route
app.post('/webhook', (req, res) => {
  try {
    const signature = req.headers['x-signature'];
    verifyWebhook(req.body, signature, process.env.WEBHOOK_SECRET);
    // Process the webhook event
    res.status(200).send('Success');
  } catch (error) {
    res.status(400).send('Signature verification failed.');
  }
});

We strongly recommend that you implement signature verification for all your webhook endpoints.