Verifying webhook signatures

Validate the HMAC SHA-256 we send on every outbound webhook.

4 min read · Updated 2026-04-26

Why verify

Without signature verification, anyone could send fake webhooks to your endpoint. We sign every outbound webhook with HMAC-SHA-256 and the shared secret you set when registering the webhook URL.

Verifying in Node

import crypto from "crypto";

function verify(req, secret) {
  const sig = req.headers["x-swagbyte-signature"];
  const expected = crypto
    .createHmac("sha256", secret)
    .update(req.rawBody)
    .digest("hex");
  return sig === expected;
}

Use the raw request body for HMAC, not the parsed JSON. Re-stringifying the JSON introduces whitespace differences that break the signature.