Verifying signatures (HMAC-SHA256)

If you provided a secret_key when subscribing, we include an HMAC signature header computed over the raw request body.

Header: X-Webhook-Signature
Format: sha256={hex_digest}
Algorithm: HMAC-SHA256 with your secret_key

Pseudocode

Read raw request body string exactly as received
Compute HMAC-SHA256 with your secret_key
Compare in constant time with the header value

Example (Python)

import hmac, hashlib

def verify_signature(raw_body: bytes, signature_header: str, secret_key: str) -> bool:
    expected = 'sha256=' + hmac.new(secret_key.encode('utf-8'), raw_body, hashlib.sha256).hexdigest()
    return hmac.compare_digest(signature_header or '', expected)

Respond with non-2xx if verification fails.