> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://docs.simz.com/llms.txt.
> For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://docs.simz.com/_mcp/server.

# Verify Signatures

> Verify SimZ webhook signatures with HMAC-SHA256.

SimZ signs webhook deliveries with HMAC-SHA256 when the webhook has a secret.

## Headers

| Header                | Value                     |
| --------------------- | ------------------------- |
| `X-Webhook-Signature` | `sha256=<hex HMAC>`       |
| `X-Webhook-Timestamp` | Unix timestamp in seconds |

## Signed payload

```text
HMAC-SHA256(secret, "<X-Webhook-Timestamp>.<raw request body>")
```

## Node.js example

```js
const crypto = require("crypto");

function verifySimzWebhook(rawBody, headers, secret) {
  const signatureHeader = headers["x-webhook-signature"] || "";
  const timestamp = headers["x-webhook-timestamp"] || "";
  const expected =
    "sha256=" +
    crypto
      .createHmac("sha256", secret)
      .update(`${timestamp}.${rawBody}`)
      .digest("hex");

  const a = Buffer.from(signatureHeader);
  const b = Buffer.from(expected);
  return a.length === b.length && crypto.timingSafeEqual(a, b);
}
```