Validating Webhook Events
WiseWay signs every webhook event with an HMAC-SHA256 signature so you can verify that the payload hasn't been tampered with and genuinely originated from WiseWay.
How It Works
Each webhook delivery includes a signature in the x-wiseway-signature header. To validate:
- Extract the signature from the
x-wiseway-signatureheader - Compute an HMAC-SHA256 hash using your webhook's secret key and the raw JSON request body
- Compare your computed signature with the one in the header
If they match, the event is authentic.
Finding Your Secret Key
- Go to Settings > Webhooks
- Find the webhook you want to validate
- Click the eye icon to reveal the secret key
- Copy and store it securely in your server's environment variables
Example (Node.js)
import crypto from "crypto";
function verifyWebhookSignature(payload, signature, secret) {
const computed = crypto
.createHmac("sha256", secret)
.update(payload, "utf8")
.digest("hex");
return crypto.timingSafeEqual(
Buffer.from(computed, "hex"),
Buffer.from(signature, "hex")
);
}
// In your webhook handler:
app.post("/webhook", (req, res) => {
const signature = req.headers["x-wiseway-signature"];
const rawBody = JSON.stringify(req.body);
if (!verifyWebhookSignature(rawBody, signature, process.env.WEBHOOK_SECRET)) {
return res.status(401).json({ error: "Invalid signature" });
}
// Process the event...
res.status(200).json({ received: true });
});Example (Python)
import hmac
import hashlib
def verify_signature(payload: bytes, signature: str, secret: str) -> bool:
computed = hmac.new(
secret.encode("utf-8"),
payload,
hashlib.sha256
).hexdigest()
return hmac.compare_digest(computed, signature)Security Tips
- Always validate signatures before processing webhook data
- Use
timingSafeEqual(Node.js) orhmac.compare_digest(Python) to prevent timing attacks - Never log or expose your webhook secret key
- Rotate secrets periodically via Settings > Webhooks