HMAC Signatures
Copy for LLM
Copy page as Markdown for LLMs
View as Markdown
Open this page as Markdown
Open in ChatGPT
Get insights from ChatGPT
Open in Claude
Get insights from Claude

To ensure the integrity and authenticity of webhook requests, you can enable HMAC signature verification when creating a webhook.

1. Enabling HMAC Signatures

When calling the Create Webhook endpoint, include a signing_key field in the request body. This key will be used as the secret for generating HMAC signatures on outgoing webhook requests.

    {
      "event": "appointment.created",
      "url": "https://example.com/webhook",
      "signing_key": "your-secret-key"
    }

2. Verifying Webhook Signatures

Every webhook request will include two HTTP headers:

X-Herohealth-Timestamp: The timestamp of when the request was sent.
X-Herohealth-Signature: The HMAC-SHA256 signature of the request.

To verify the signature:

Concatenate the timestamp and the raw request body, separated by a period:
```
  message = "{timestamp}.{request_body}"
```
Generate the HMAC-SHA256 hash of this message using the signing_key.
Compare the result with the value from the X-Herohealth-Signature header.

Note: The request_body used for signature generation is the exact raw JSON payload without any spaces or formatting changes. It must match the format sent by the webhook service exactly.

This process ensures that the request originated from HeroHealth and has not been tampered with.

HMAC SignaturesCopyCopy for LLMCopy page as Markdown for LLMsView as MarkdownOpen this page as MarkdownOpen in ChatGPTGet insights from ChatGPTOpen in ClaudeGet insights from Claude

1. Enabling HMAC Signatures

2. Verifying Webhook Signatures

Was this helpful?

HMAC Signatures
Copy for LLM
Copy page as Markdown for LLMs
View as Markdown
Open this page as Markdown
Open in ChatGPT
Get insights from ChatGPT
Open in Claude
Get insights from Claude