Webhooks

Verify Signatures

View as Markdown

SimZ signs webhook deliveries with HMAC-SHA256 when the webhook has a secret.

Headers

HeaderValue
X-Webhook-Signaturesha256=<hex HMAC>
X-Webhook-TimestampUnix timestamp in seconds

Signed payload

HMAC-SHA256(secret, "<X-Webhook-Timestamp>.<raw request body>")

Node.js example

1const crypto = require("crypto");
2
3function verifySimzWebhook(rawBody, headers, secret) {
4  const signatureHeader = headers["x-webhook-signature"] || "";
5  const timestamp = headers["x-webhook-timestamp"] || "";
6  const expected =
7    "sha256=" +
8    crypto
9      .createHmac("sha256", secret)
10      .update(`${timestamp}.${rawBody}`)
11      .digest("hex");
12
13  const a = Buffer.from(signatureHeader);
14  const b = Buffer.from(expected);
15  return a.length === b.length && crypto.timingSafeEqual(a, b);
16}