Webhook Signature Verification


Photon signs all webhook events that it sends to your endpoints. This allows you to verify that events were sent by us.

Verifying the Webhook

Each webhook event includes the X-Photon-Signature header. This header contains the signature, which is a hex-encoded string. To verify that the signature is valid do the following:

  1. Grab the signature from the header and the request body
  2. Ensure you have access to the webhook shared secret you passed in the webhook configuration screen on the Photon app settings page. (If you didn't include a secret when configuring your webhook, just use an empty string "" instead of a secret when generating the digest in the next step)


We strongly encourage you include a secret when configuring your webhooks so you can be sure requests are coming from us

  1. Calculate the HMAC digest with your shared secret and the body from the Photon webhook request
  2. Verify calculated digest is the same as the signature in the header.


// Javascript
const crypto = require('crypto');
const express = require('express');

function isSignatureValid(signature, rawBody) {
  const hmac = crypto.createHmac('sha256', env.YOUR_WEBHOOK_SHARED_SECRET);
  const digest = hmac.update(JSON.stringify(rawBody)).digest('hex');
  return digest === signature;