IDEN
Wacommerce

Verifying Signatures

Validate webhook payload authenticity with HMAC.

Each webhook includes an HMAC-SHA256 signature header over the raw body using your signing secret. Compare it against a hash you compute yourself with a timing-safe comparison.

typescriptimport crypto from "crypto";

function valid(raw: string, signature: string, secret: string) {
  const expected = crypto.createHmac("sha256", secret).update(raw).digest("hex");
  return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(signature));
}