Developers API
Realtime Event Engine
WebSocket streaming, event webhooks, payload schemas, rule conditions, delivery lifecycle, signature verification, event history, and errors.
Signature Verification
Verify each webhook delivery before processing it in production.
Use the endpoint-specific signing secret returned when creating the webhook destination.
Delivery headers include X-SAHMK-Signature, X-SAHMK-Event, and X-SAHMK-Event-Id.
- Each delivery includes
X-SAHMK-Signature. - Signature generation uses HMAC-SHA256 over canonical payload.
- Reject mismatches with HTTP 401.
text
# Header format:
# X-SAHMK-Signature: t=<unix_ts>,v1=<hex_hmac>
timestamp, received = parse_signature_header(request.headers["X-SAHMK-Signature"])
canonical_json = json.dumps(payload, sort_keys=True, separators=(",", ":"))
signed_payload = f"{timestamp}.{canonical_json}" # utf-8 bytes
computed = HMAC_SHA256(signing_secret, signed_payload)
if computed != received:
return 401
process_event(payload)Timestamp is included in the signature header. Receivers should apply a time-window check for replay protection.