Developer Documentation

Webhook Signature Verification

Verify the authenticity of FundraiserMax webhook payloads using HMAC-SHA256 signature verification. Includes Node.js and Python examples.

Signature Verification

Every webhook request includes an X-FundraiserMax-Signature header containing an HMAC-SHA256 signature of the request body. You should verify this signature to ensure the payload was sent by FundraiserMax and has not been tampered with.

Verification Steps

  1. Extract the X-FundraiserMax-Signature header value from the incoming request.
  2. Compute the HMAC-SHA256 hash of the raw request body using your webhook signing secret as the key.
  3. Compare the computed hash with the signature from the header. If they match, the payload is authentic.

Verification Example

# Compute HMAC-SHA256 signature and compare
PAYLOAD='{"id":"whevt_abc123","type":"contact.created"}'
SECRET="your_webhook_signing_secret"
EXPECTED_SIG=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "$SECRET" | awk '{print $2}')
echo "Computed signature: $EXPECTED_SIG"

# Compare with X-FundraiserMax-Signature header value
# If they match, the payload is authentic
Important: Always use a constant-time comparison function (e.g., crypto.timingSafeEqual in Node.js or hmac.compare_digest in Python) to prevent timing attacks.