Skip to main content

Signature Verification

Every webhook request includes X-SalesLobe-Signature: sha256=<hmac>. Verify it with your webhook secret to confirm the request is genuine.

const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
const expected = 'sha256=' + crypto
.createHmac('sha256', secret)
.update(JSON.stringify(payload))
.digest('hex');
return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}