Verifying Signatures
Validate webhook payload authenticity with HMAC.
Each webhook includes an HMAC-SHA256 signature header over the raw body using your signing secret. Compare it against a hash you compute yourself with a timing-safe comparison.
typescriptimport crypto from "crypto";
function valid(raw: string, signature: string, secret: string) {
const expected = crypto.createHmac("sha256", secret).update(raw).digest("hex");
return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(signature));
}