Skip to main content

Webhook Security

Signature verification

Every webhook request includes an X-OutPilot-Signature header. Verify this signature to ensure the request came from OutPilot.

How to verify (Node.js)

const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

How to verify (Python)

import hmac, hashlib

def verify_webhook(payload: bytes, signature: str, secret: str) -> bool:
    expected = hmac.new(
        secret.encode(), payload, hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(signature, expected)

Webhook secret

Your webhook secret is available in Settings > Webhooks next to each endpoint.

Signature verification
- How to verify (Node.js)
- How to verify (Python)
Webhook secret