Verify webhook requests
Learn how to verify webhook requests to ensure they’re coming from Dub.
With signature verification, you can determine if the webhook came from Dub, and has not been tampered with in transit.
All webhooks are delivered with a Dub-Signature header. Dub generates this header using a secret key that only you and Dub know.
An example header looks like this:
Finding your webhook’s signing secret
You can find your webhook’s signing secret in the Update Details tab:
Make sure to keep this secret safe by only storing it in a secure environment variable (e.g. DUB_WEBHOOK_SECRET). Do not commit it to git or add it in any client-side code.
Verifying a webhook request
To verify, you can use the secret key to generate your own signature for each webhook. If both signatures match then you can be sure that a received event came from Dub.
The steps required are:
- Get the raw body of the request.
- Extract the signature from the
Dub-Signatureheader. - Calculate the HMAC of the raw body using the
SHA-256hash function and the secret. - Compare the calculated
HMACwith the one sent in theDub-Signatureheader. If they match, the webhook is verified.
Here’s an example of how you can verify a webhook request in different languages:
Why is signature verification important?
Signature verification is a crucial security measure that protects against request forgery and data tampering. Without verification, malicious actors could send fake webhook events to your endpoint, potentially triggering unauthorized actions.
The HMAC-SHA256 signature verification process ensures that only Dub can generate valid webhook requests and that payloads haven’t been modified in transit. This provides both authentication (confirming the sender is Dub) and integrity (ensuring the message hasn’t been tampered with).
Was this page helpful?