Verify webhook requests

It is critical to verify that incoming requests to your webhook were sent by Authsignal, and to reject any that were not. The recommended approach is to use an Authsignal Server SDK to handle the incoming request.

const authsignal = new Authsignal({ apiSecretKey: "YOUR_SERVER_API_SECRET_KEY" });

// Obtain raw request body and signature header
// For example using Express (https://expressjs.com/)
const payload = req.body;
const sig = req.headers["X-Signature-V2"];

const event = authsignal.webhook.constructEvent(payload, sig);

By passing the raw request body along with the X-Signature-V2 header to the SDK, it verifies that the request is valid and constructs the event for you to handle.

The Authsignal SDK requires the raw body of the request to verify the signature. If you’re using a framework, make sure it doesn’t manipulate the raw body, as this will cause the signature verification to fail.

Replay protection

The Authsignal Server SDKs reject events older than 5 minutes by default. Customize the window by passing a tolerance value (in minutes).

const payload = req.body;
const sig = req.headers["X-Signature-V2"];
const tolerance = 10;

const event = authsignal.webhook.constructEvent(payload, sig, tolerance);

email.createdSent when an email OTP or magic link needs to be delivered through your own email provider.

⌘I

Documentation Index

​Replay protection

Replay protection