By default, a webhook URL is open and may receive a payload from anybody who knows the URL. For security reasons, we recommend you to accept requests only from trusted sources. This is accomplished by signing your requests with a Hash-based Message Authentication Code (or HMAC).

To secure your webhook with HMAC, just type your secret code into the field displayed below. Please make sure you share this code with trusted people only:

Once you defined a secret HMAC, will only accept signed requests for that webhook. To sign a request you need to generate hash digests of your request body using the sha512 algorithm and send it as X-EIO-Signature HTTP header.

If you or somebody else fail to sign the WebHook after the secret is defined then will reply with HTTP/1.1 400 Bad Request header and the message like "The request is expected to be signed. Please send the signature using the x-eio-signature HTTP header".

Generating HMAC

Here is an example on how to generate the HMAC to be used with you WeBhook. Imagine you want to send the following JSON payload to your webhook:

  "msg": "Hello, world"

To secure your WebHook URL you have already implemented the secret word. All it is left for you to create an HMAC. Here is an example of how to create an HMAC using node.js:

var crypto = require('crypto');

var payload = {
    "msg": "Hello, world"

var secret = 'my_secret';
var hmac = crypto.createHmac('sha512', secret);
var signature = hmac.update(JSON.stringify(payload)).digest('hex');

The resulting HMAC could look like this:


Sending WebHook with HMAC signed

After generating the HMAC you can send the signed request like in the example shown below:

curl{WEBHOOK_ID} \ 
   -H 'X-EIO-Signature: 3ab69c4f13545c0ebb8ecc7ce72070da656e3353bc0fd6df7ec83f915316e3b702851cf9f4b2fdde0b84c9b8fc575bcfb4d411c22f4ad9ac076f87254a3b475f' \ 
   -H 'Content-Type: application/json' -d ' 
      "msg": "Hello, world",