Skip to main content
When creating webhooks, you have the option to provide a secret key for added security. This secret key is used to generate a signature for each outgoing payload. To ensure the integrity of incoming webhook payloads, you can validate the signature on your server. Webhook Form To add a Webhook, go to the Developers tab of your Fuse account.

Providing a Secret Key

When creating or configuring a webhook, include a secret key in the webhook settings. This key is a shared secret between our server and the recipient of the webhook.

Signature Generation

The signature is generated using the HMAC (Hash-based Message Authentication Code) algorithm with SHA-256. The process involves creating a hexdigest using the secret key and the raw payload of the webhook.

Signature Verification

To validate the incoming webhook payload, you need to generate the signature on your end using the same process and compare it with the signature provided in the incoming request.

Example Code

Below are samples for HTTP requests that handle the signature verifcation process. 
import * as crypto from 'crypto';

function validateSignature(secretKey: string, rawPayload: string, receivedSignature: string): boolean {
  const expectedSignature = crypto.createHmac('sha256', secretKey).update(rawPayload).digest('hex');
  return receivedSignature === expectedSignature;
}

app.post('/webhook', (req, res) => {
  // Retrieve the signature from the headers
  const receivedSignature = req.headers['http_x_fuse_signature_256'];

  const secretKey = 'your_secret_key';

  const isSignatureEqual = validateSignature(secretKey, JSON.stringify(req.body), receivedSignature);

  // Compare the signatures
  if (!isSignatureEqual) {
      return res.status(401).send('Mismatched signatures');
  }

  // Process the webhook payload
  // ...

  res.status(200).send({ status: 'complete' });
});