Skip to main content

Signature verification

The Strike API will sign each webhook using a hash-based message authentication code (HMAC) with SHA-256 signature in the X-Webhook-Signature header. This signature is used to confirm that the webhook was made by the Strike API.

Follow the steps below to verify the signature of a webhook:

  1. Extract the signature from the request X-Webhook-Signature header.
  2. Compute the HMAC using the SHA-256 hash of the webhook request’s JSON payload (the webhook’s content) and the secret that was used when creating the webhook subscription. An example of how to compute the HMAC is provided below.
  3. Compare the signature from step 1 with the value computed in step 2. If the values match, then the signature is valid and the webhook request was indeed made by the Strike API.

Below is an example of computing an HMAC and verifying a webhook request signature:

Example implementation in js (node):
function computeHmac(content, secret) {
const hmac = crypto.createHmac('sha256', secret)

return hmac.update(content).digest('hex')

function getRawBody(body) {
const byteArray = []
const str = JSON.stringify(body)
const buffer = new Buffer(str, 'utf8')

for (var i = 0; i < buffer.length; i++) {

return byteArray

function verifyRequestSignature(request, secret) {
const requestSignature = request.get('X-Webhook-Signature')
const requestSignatureBuffer = Buffer.from(requestSignature, 'utf8')

const contentSignature = computeHmac(getRawBody(request.body), secret)
const contentSignatureBuffer = Buffer.from(contentSignature, 'utf8')

return crypto.timingSafeEqual(requestSignatureBuffer, contentSignatureBuffer)