DEV Community

Phillip Gray
Phillip Gray

Posted on

HMAC-Signed Webhooks: Securing Your Event Stream

HMAC-Signed Webhooks: Securing Your Event Stream

Webhooks are powerful—they let external systems react to your events in real time. But there's a catch: how do you know the webhook actually came from you?

Enter HMAC signatures.

The Problem

When your system sends a webhook to a third party's endpoint, anyone who knows that URL can fire requests at it, impersonating your service. They could trigger false transactions, corrupt data, or worse.

The Solution: HMAC-SHA256

HMAC (Hash-Based Message Authentication Code) lets you cryptographically sign each webhook with a shared secret:

  1. You and the webhook consumer share a secret key (known only to both)
  2. You compute an HMAC-SHA256 hash of the webhook body using that secret
  3. You send the hash as a header (usually X-Signature or X-Webhook-Signature)
  4. They recompute the hash on their end—if it matches, the webhook is authentic

Implementation Essentials

Signature = HMAC-SHA256(webhook_body, shared_secret)
Send as: X-Signature: sha256=<hex_encoded_signature>
Enter fullscreen mode Exit fullscreen mode

The consumer verifies by computing the same hash and comparing it to the header value. A mismatch means tampering or forgery.

Why It Works

  • No secrets travel over the wire (only the computed hash)
  • Proves both authenticity (it came from you) and integrity (it hasn't been modified)
  • Standard crypto, widely supported across languages and frameworks

HMAC-signed webhooks are the lightweight, battle-tested way to make your event stream trustworthy.

Top comments (0)