Signature Verification

WioClinic signs every webhook payload so you can confirm it originated from us.

How It Works

We compute an HMAC-SHA256 signature over the raw request body using the secret you provided when creating the webhook, and include it in the X-WioClinic-Signature header:

X-WioClinic-Signature: sha256=abc123def456...

Verification (PHP)

$payload = file_get_contents('php://input');
$signature = $_SERVER['HTTP_X_WIOCLINIC_SIGNATURE'] ?? '';
$expected = 'sha256=' . hash_hmac('sha256', $payload, $yourSecret);

if (!hash_equals($expected, $signature)) {
    http_response_code(401);
    exit;
}

Verification (Node.js)

const crypto = require('crypto');

const payload = req.rawBody; // ensure raw body, not parsed JSON
const signature = req.headers['x-wioclinic-signature'];
const expected = 'sha256=' + crypto
  .createHmac('sha256', process.env.WEBHOOK_SECRET)
  .update(payload)
  .digest('hex');

if (!crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(signature))) {
  return res.status(401).send('Invalid signature');
}

warning

Always use a constant-time comparison (hash_equals / timingSafeEqual) to prevent timing attacks.

How It Works​

Verification (PHP)​

Verification (Node.js)​

How It Works

Verification (PHP)

Verification (Node.js)