HMAC-Signed Webhooks: Securing Your Event Stream
Webhooks are powerful—they let external systems react to your events in real time. But there's a catch: how do you know the webhook actually came from you?
Enter HMAC signatures.
The Problem
When your system sends a webhook to a third party's endpoint, anyone who knows that URL can fire requests at it, impersonating your service. They could trigger false transactions, corrupt data, or worse.
The Solution: HMAC-SHA256
HMAC (Hash-Based Message Authentication Code) lets you cryptographically sign each webhook with a shared secret:
- You and the webhook consumer share a secret key (known only to both)
- You compute an HMAC-SHA256 hash of the webhook body using that secret
-
You send the hash as a header (usually
X-SignatureorX-Webhook-Signature) - They recompute the hash on their end—if it matches, the webhook is authentic
Implementation Essentials
Signature = HMAC-SHA256(webhook_body, shared_secret)
Send as: X-Signature: sha256=<hex_encoded_signature>
The consumer verifies by computing the same hash and comparing it to the header value. A mismatch means tampering or forgery.
Why It Works
- No secrets travel over the wire (only the computed hash)
- Proves both authenticity (it came from you) and integrity (it hasn't been modified)
- Standard crypto, widely supported across languages and frameworks
HMAC-signed webhooks are the lightweight, battle-tested way to make your event stream trustworthy.
Top comments (0)