Skip to content
On this page

Check the webhook signatures

Doppio signs each request to your webhook endpoint. Check this signature to make sure the request was made by us and not an unfriendly third-party. It also ensures the request payload was not tempered with on the way.

What do I need

You need 3 elements to check your webhook endpoint incoming requests :

  1. Your secret signature key: available on your Doppio account, under the API key tab. Please make sure it is kept secret, as anyone in possession of this will be able to impersonate us and generate valid (but false) webhook requests to your endpoint.

  2. The request signature: available on the request header x-doppio-payload-signature.

  3. The request payload: in raw format only, exactly as it is received. You might need to disable your body parser to get it.

How to check

The request signature available on the header x-doppio-payload-signature is a sha-256 HMAC of the request payload using your secret as key, in hex format. To verify it, simply re-create it with the request payload and your secret, then compare it to the request signature. If they are the same, the request is safe to handle. If not, someone tried to impersonate us or tempered with our request.

const computedSignature = crypto.createHmac('sha256', WEBHOOK_SECRET)

const requestSignature = request.get('x-doppio-payload-signature');

if (requestSignature === computedSignature) {
    // Guenuine request
} else {
    // Unsafe

All rights reserved