Skip to main content

Signature verification

Strike will sign each webhook event by including HMAC (with SHA-256) signature in the X-Webhook-Signature header. The signature is used to confirm that webhook request was triggered by Strike.

You can verify the signature using the following steps:

  1. Extract the signature from the request X-Webhook-Signature header.
  2. Compute the HMAC with SHA256 hash function of the request JSON payload (request body) using the secret which was used when creating the subscription.
  3. Compare the signature from step 1 with the value computed in step 2. If values match the signature is valid which means that the request was indeed triggered by Strike.
Example implementation in js (node):
function computeHmac(content, secret) {
const hmac = crypto.createHmac('sha256', secret);

return hmac.update(content).digest('hex');

function getRawBody(body) {
const byteArray = [];
const str = JSON.stringify(body);
const buffer = new Buffer(str, 'utf8');

for (var i = 0; i < buffer.length; i++) {

return byteArray;

function verifyRequestSignature(request, secret) {
const requestSignature = request.get('X-Webhook-Signature');
const requestSignatureBuffer = Buffer.from(requestSignature, 'utf8');

const contentSignature = computeHmac(getRawBody(request.body), secret);
const contentSignatureBuffer = Buffer.from(contentSignature, 'utf8');

return crypto.timingSafeEqual(requestSignatureBuffer, contentSignatureBuffer);