Webhook verification

Created by Mayank Singhal, Modified on Sat, 11 Jul at 6:14 PM by Mayank Singhal

Question:


How do we verify that a webhook actually came from the provider and not from an attacker? (HMAC signature, mTLS certificate, IP allowlist, etc.)

Answer:

HMAC-SHA256 signature in the Webhook-Signature header, formatted t=<unix>,v1=<hex>, computed over <timestamp>.<raw-body> using a unique per-endpoint signing secret (encrypted at rest, rotatable). The timestamp guards against replay; verify server-side before processing. Each delivery carries a stable id for idempotent retry handling. Delivery is SSRF-guarded; source-IP details available on request.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article