Webhook delivery

Signature header

Each request includes X-Filament-Signature: t=unix_timestamp,v1=hex_hmac. The HMAC uses SHA-256 with your endpoint secret and the string rawBody.timestamp.

import { createHmac, timingSafeEqual } from "node:crypto";

export function verify(rawBody, timestamp, signature, secret) {
  const expected = createHmac("sha256", secret)
    .update(`${rawBody}.${timestamp}`)
    .digest("hex");
  return timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}

Replay behavior

Failed deliveries are visible to admins in the webhook delivery failure queue. A replay sends the original event name and payload to the same endpoint with a fresh timestamp and signature.