Signing and verification

Every delivery includes an X-Webhook-Signature header. Compute HMAC-SHA256 of the raw request body using your endpoint's secret and compare in constant time.

import { createHmac, timingSafeEqual } from "crypto";
const expected = createHmac("sha256", secret).update(rawBody).digest("hex");
const ok = timingSafeEqual(Buffer.from(expected), Buffer.from(headerSig));