# HMAC Signatures

To ensure the integrity and authenticity of webhook requests, you can enable HMAC signature verification when creating a webhook.

## 1. Enabling HMAC Signatures

When calling the [**Create Webhook**](/apis/public-api/openapi/webhooks/createwebhook) endpoint, include a `signing_key` field in the request body. This key will be used as the secret for generating HMAC signatures on outgoing webhook requests.


```json
    {
      "event": "appointment.created",
      "url": "https://example.com/webhook",
      "signing_key": "your-secret-key"
    }
```

## 2. Verifying Webhook Signatures

Every webhook request will include two HTTP headers:

- `X-Herohealth-Timestamp`: The timestamp of when the request was sent.
- `X-Herohealth-Signature`: The HMAC-SHA256 signature of the request.


To verify the signature:

1. Concatenate the timestamp and the raw request body, separated by a period:

```json
  message = "{timestamp}.{request_body}"
```
2. Generate the HMAC-SHA256 hash of this message using the `signing_key`.
3. Compare the result with the value from the `X-Herohealth-Signature` header.


> **Note:** The `request_body` used for signature generation is the exact raw JSON payload **without any spaces or formatting changes**. It must match the format sent by the webhook service exactly.


This process ensures that the request originated from HeroHealth and has not been tampered with.