You can verify that requests are valid and are coming from our platform by checking the sha256 signature of the posted JSON data.

The signature can be found in the x-hook-signature header.

Every webhook has a unique secret key that can be used to generate a hash to compare the signature with.

const hash = crypto.createHmac('sha256', secret)
    .update(req.body) // the raw JSON string

if (req.headers['x-hook-signature'] !== hash) {
 throw new Error('Invalid Request')