Dub-Signature
header. Dub generates this header using a secret key that only you and Dub know.
An example header looks like this:
Finding your webhook’s signing secret
You can find your webhook’s signing secret in the Update Details tab:
DUB_WEBHOOK_SECRET
). Do not commit it to git or add it in any client-side code.
Verifying a webhook request
To verify, you can use the secret key to generate your own signature for each webhook. If both signatures match then you can be sure that a received event came from Dub. The steps required are:- Get the raw body of the request.
- Extract the signature from the
Dub-Signature
header. - Calculate the HMAC of the raw body using the
SHA-256
hash function and the secret. - Compare the calculated
HMAC
with the one sent in theDub-Signature
header. If they match, the webhook is verified.