To ensure the webhook body has not been tampered with, you should request an Event-Signature header to be sent with your event.

This contains a Hash-based Message Authentication Code (HMAC) generated from a shared secret and the webhook body itself.

Contact your Implementation Manager to enable the Event-Signature header and receive the shared secret.


Step 1

Extract the Event-Signature HTTP(S) header from the incoming events webhook request.

  • Can contain multiple signatures (comma separated)
  • The order of the signatures can change so always use the keyId.


  1. Single Signature Example
  2. Multiple Signatures Example


keyIdNumeric reference for the shared secret used to sign the message. The keyId value changes/increments if a new signature is generated.
hashFunctionThe cryptographic hash function used to create the HMAC. Currently supported:
signatureHash-based Message Authentication Code (HMAC). Generated from the webhook body and shared secret using the hashFunction.

Step 2

Take the webhook body and shared secret, then use the hashFunction to generate the HMAC signature.

Step 3

Compare your generated HMAC signature from (step 2) with the signature received in the Event-Signature header.

  • Signatures match - Respond with a 200 HTTP(S) status code.
  • Signatures don't match - Discard the webhook body and return a 400 HTTP(S) status code.
  • No signature received (and you are set up for HMAC) - Return a 400 HTTP status code.