Webhooks

Verifying signatures

If you set a secret, every delivery includes X-Webhook-Signature: sha256=<hex>. Recompute it and compare in constant time.

const crypto = require('crypto');

function verify(secret, rawBody, sigHeader) {
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(rawBody)
    .digest('hex');
  // Constant-time compare
  const a = Buffer.from(expected);
  const b = Buffer.from(sigHeader || '');
  return a.length === b.length && crypto.timingSafeEqual(a, b);
}

import hmac, hashlib

def verify(secret: str, raw_body: bytes, sig_header: str) -> bool:
    expected = 'sha256=' + hmac.new(
        secret.encode(), raw_body, hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(expected, sig_header or '')

# expected = "sha256=$(printf '%s' "$RAW_BODY" | openssl dgst -sha256 -hmac "$SECRET" -binary | xxd -p -c 256)"
# compare $expected to "$X_WEBHOOK_SIGNATURE" in constant time