Slatis

Webhook Signatures

Verify that webhook payloads are from Slatis using HMAC-SHA256 signatures.

How it works

Every webhook delivery includes a X-Slatis-Signature header with an HMAC-SHA256 signature of the raw request body, signed with your webhook's secret:

X-Slatis-Signature: sha256=a4d2e5f8...

Verify in Node.js

import crypto from 'crypto'
 
function verifySignature(
  payload: string,
  signature: string,
  secret: string
): boolean {
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(payload, 'utf8')
    .digest('hex')
 
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  )
}
 
// In your webhook handler:
app.post('/webhooks/slatis', (req, res) => {
  const rawBody = req.rawBody // must be the unmodified raw string
  const sig = req.headers['x-slatis-signature'] as string
 
  if (!verifySignature(rawBody, sig, process.env.SLATIS_WEBHOOK_SECRET!)) {
    return res.status(401).send('Invalid signature')
  }
 
  const event = JSON.parse(rawBody)
  // handle event...
  res.sendStatus(200)
})

Always use crypto.timingSafeEqual to prevent timing attacks.

Important

  • Use the raw body bytes for HMAC computation, not a parsed/re-serialized JSON object.
  • The secret is available in the POST /webhooks response (shown once) and can be rotated by deleting and recreating the webhook.

Previous

Webhooks

Next

SDK

On this page