Developers API

Realtime Event Engine

WebSocket streaming, event webhooks, payload schemas, rule conditions, delivery lifecycle, signature verification, event history, and errors.

← Back to API docsRealtime Docs Navigation

Viewing: Signature Verification

Signature Verification

Verify each webhook delivery before processing it in production.

Use the endpoint-specific signing secret returned when creating the webhook destination.

Delivery headers include X-SAHMK-Signature, X-SAHMK-Event, and X-SAHMK-Event-Id.

Each delivery includes X-SAHMK-Signature.
Signature generation uses HMAC-SHA256 over canonical payload.
Reject mismatches with HTTP 401.

text

# Header format:
# X-SAHMK-Signature: t=<unix_ts>,v1=<hex_hmac>

timestamp, received = parse_signature_header(request.headers["X-SAHMK-Signature"])
canonical_json = json.dumps(payload, sort_keys=True, separators=(",", ":"))
signed_payload = f"{timestamp}.{canonical_json}"  # utf-8 bytes
computed = HMAC_SHA256(signing_secret, signed_payload)

if computed != received:
  return 401

process_event(payload)

Timestamp is included in the signature header. Receivers should apply a time-window check for replay protection.

← PreviousDelivery Lifecycle

Next →Event History