Webhook signing

Webhook signing attaches a cryptographic signature — typically an HMAC of the raw request body using a shared secret — to each delivery, usually in a header. The receiver recomputes the HMAC over the body it received and compares; if they differ, the request is rejected.

Without signing, your webhook endpoint is an open door: anyone who learns the URL can POST fake submissions. Signing proves the payload was produced by the holder of the secret and was not altered in transit, turning a public URL into a trusted channel.

Verify against the exact raw bytes received, before any parsing or reformatting, use a constant-time comparison to avoid timing attacks, and include a timestamp in the signed data to reject replays. Signing pairs with idempotency: signing establishes authenticity, idempotency makes safe retries possible.

← Back to the glossary · or build a form free.