API & Developers
    4 min read

    Webhook Signature Verification

    Secure your webhook endpoints

    Webhook Signature Verification

    Verify webhook authenticity using HMAC signatures.

    How It Works

    Every webhook includes a signature header:

    X-Salesos-Signature: sha256=abc123...

    This is an HMAC-SHA256 hash of the payload using your webhook secret.

    Getting Your Secret

  1. Go to Settings → Webhooks
  2. Click on your webhook
  3. Copy the Signing Secret

    4. Verification Code

    JavaScript/Node.js

    const crypto = require('crypto');

function verifySignature(payload, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload, 'utf8')
    .digest('hex');
  
  return `sha256=${expected}` === signature;
}

// In your endpoint
app.post('/webhook', (req, res) => {
  const signature = req.headers['x-salesos-signature'];
  const isValid = verifySignature(
    JSON.stringify(req.body),
    signature,
    process.env.WEBHOOK_SECRET
  );
  
  if (!isValid) {
    return res.status(401).send('Invalid signature');
  }
  
  // Process webhook...
  res.status(200).send('OK');
});

    Python

    import hmac
import hashlib

def verify_signature(payload, signature, secret):
    expected = hmac.new(
        secret.encode(),
        payload.encode(),
        hashlib.sha256
    ).hexdigest()
    return f"sha256={expected}" == signature

    Security Best Practices

  4. Always verify signatures in production
  5. Use constant-time comparison
  6. Reject requests with missing signatures
  7. Log verification failures for monitoring

    8. Was this article helpful?

    Related Articles

    Webhook Delivery Failures

    Debug and fix webhook issues

    Rate Limits and Best Practices

    Optimize your API usage

    webhooks
    security
    HMAC
    verification