Developer Documentation
Webhook Signature Verification
Verify the authenticity of FundraiserMax webhook payloads using HMAC-SHA256 signature verification. Includes Node.js and Python examples.
Signature Verification
Every webhook request includes an X-FundraiserMax-Signature header containing an HMAC-SHA256 signature of the request body. You should verify this signature to ensure the payload was sent by FundraiserMax and has not been tampered with.
Verification Steps
- Extract the
X-FundraiserMax-Signatureheader value from the incoming request. - Compute the HMAC-SHA256 hash of the raw request body using your webhook signing secret as the key.
- Compare the computed hash with the signature from the header. If they match, the payload is authentic.
Verification Example
# Compute HMAC-SHA256 signature and compare
PAYLOAD='{"id":"whevt_abc123","type":"contact.created"}'
SECRET="your_webhook_signing_secret"
EXPECTED_SIG=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "$SECRET" | awk '{print $2}')
echo "Computed signature: $EXPECTED_SIG"
# Compare with X-FundraiserMax-Signature header value
# If they match, the payload is authenticImportant: Always use a constant-time comparison function (e.g.,
crypto.timingSafeEqual in Node.js or hmac.compare_digest in Python) to prevent timing attacks.