Guide

Verify Webhooks

Webhook verification protects receivers from forged or replayed requests.

Most providers sign the raw request body with a shared secret. Your receiver should validate that signature before parsing and processing the event.

Verification Checklist

Read the raw body exactly as the provider sent it.
Compare the provider signature header against an HMAC computed with the webhook secret.
Reject stale timestamps when the provider includes one.
Store event ids so duplicate deliveries do not repeat side effects.

FastHook Signatures

When FastHook delivers to your destination, you can use FastHook delivery signatures to verify that the outbound request came through your configured route.

Deduplication patterns
Destinations

Verify Webhooks

Verification Checklist

FastHook Signatures

Next