Webhooks
Signature Verification
Verify webhook authenticity before processing any event payload.
Overview
Always verify request signatures with your webhook secret to prevent forged event injection.
What You Will Learn
- How X-PinBridge-Signature is validated.
- Why raw request body handling matters for signature checks.
- Rotation strategy for webhook secrets.
Implementation Checklist
- Read the raw request body before JSON parsing.
- Compute HMAC with your stored webhook secret.
- Reject mismatched signatures with 401 and log attempt context.
Example
import crypto from 'node:crypto';
function verifySignature(rawBody: string, signature: string, secret: string): boolean {
const expected = crypto.createHmac('sha256', secret).update(rawBody).digest('hex');
return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}