Skip to Content
Help centerHow do I…Verify the signature of a webhook

title: “Verify the signature of a webhook” description: “Compare the Ministrium-Signature header against HMAC-SHA256 of the body.” audience: [“developer”] modules: [“api”,“seguridad”] estimated_minutes: 5 last_reviewed: “2026-05-03”

Verify the signature of a webhook

For: Developer
Last reviewed:

Without verification, anyone with your public URL can inject fake events. The signature blocks this by requiring the shared secret.

TL;DR

HMAC-SHA256(secret, raw_body) must equal the Ministrium-Signature header.

Steps

    1. Read the raw body (not parsed to JSON first). 2. Compute expected = HMAC-SHA256(secret, raw_body) in hex. 3. Compare expected against Ministrium-Signature with constant-time compare (not ==). 4. If they differ, respond 401 and drop the event. 5. If they match, parse the body and process the event.

Node.js example

const crypto = require("crypto");
const expected = crypto.createHmac("sha256", secret).update(rawBody).digest("hex");
const sig = req.headers["ministrium-signature"];
if (!crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(sig))) {
  return res.status(401).end();
}
Was this helpful?id: verify-webhook-signature
Report as outdated
Last updated on
Register an outbound webhookCheck the current rate limit