We use cookies to improve your experience. Read more about how we handle your data in our GDPR policy.

    Back to Genju
    API Docsv1
    Docs

    Verify Webhook Signatures

    Learn how to verify HMAC-SHA256 signatures on incoming Genju webhooks to ensure authenticity.

    Why verify?

    Every webhook Genju sends includes an `X-Genju-Signature` header containing an HMAC-SHA256 signature. Always verify this before processing the payload to ensure it genuinely came from Genju.

    How it works

    When you register a webhook, Genju returns a `secret`. Use this secret to compute an HMAC-SHA256 hash of the raw payload body. Compare it to the signature header using a timing-safe comparison.

    JavaScript example

    Here's a complete Express.js webhook handler with signature verification.
    javascript
    const crypto = require('crypto');

app.post('/webhook', (req, res) => {
  const sig = req.headers['x-genju-signature'];
  const expected = 'sha256=' + crypto
    .createHmac('sha256', WEBHOOK_SECRET)
    .update(JSON.stringify(req.body))
    .digest('hex');

  if (!crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(expected))) {
    return res.status(401).json({ error: 'Invalid signature' });
  }

  // Process the event
  console.log('Event:', req.body.event);
  res.status(200).json({ received: true });
});