HMAC Signing

If a webhook is signed with HMAC-SHA256, the signature must be sent via HTTP header. The header name can be configured.

The following formats are supported:

Signature as hex-encoded string

Copy 
X-Signature: 4643978965ffcec6e6d73b36a39ae43ceb15f7ef8131b8307862ebc560e7f988
Copy 
X-Signature: v1=4643978965ffcec6e6d73b36a39ae43ceb15f7ef8131b8307862ebc560e7f988

In the second code example, 'v1' is the name of the key. The name does not have to be v1.

Signature as base64-encoded string

Copy 
X-Signature: BourgoxXQMpz6EBBm8AC12IeK+axMUIjFYkT5T8lt38=

Signature and Timestamp, both in their own header

Signature

Copy 
X-Signature: <hex-encoded or base64>

Timestamp

The Timestamp should only be specified if it is used in the HMAC-SHA256 hash of the webhook.

Copy 
X-Timestamp: 1772201257

  • The timestamp must be a unix timestamp represented as the number of seconds since January 1, 1970.

  • To compute the HMAC the following calculation is used:

    {timestamp}.{payload}

    The delimiter between {timestamp} and {payload} (".") can not be configured.

Signature and Timestamp in one header

Example 1

Copy 
X-Signature: t=1772201257,v1=750d48166fc4c314a5a3c9bf825677fd582ec3e7291e9b8666c5e0fae8acb781

Example 2

Copy 
X-Signature: t=1772201257,sha256=750d48166fc4c314a5a3c9bf825677fd582ec3e7291e9b8666c5e0fae8acb781

The names for the keys (here: 'v1', 't', 'sha256) can be chosen freely.

  • In this form, a base64-encoded hash is not supported.

  • The timestamp must be a unix timestamp.

  • When using this form the 'Timestamp Header' field in the webhook configuration should be left empty.