A webhook signature is a webhook security mechanism used to verify the authenticity and integrity of webhook messages sent from a provider to a receiver. It is generated by the provider using a shared secret key and an encryption algorithm, such as HMAC (Hash-based Message Authentication Code).
When a provider sends a webhook event, it computes the signature by hashing the payload and the shared secret key. The signature is then included in the webhook request, typically as a custom header, such as 'X-Signature' or 'X-Hub-Signature'.
Upon receiving the webhook request, the receiver also calculates the signature using the same algorithm and the shared secret key. If the calculated signature matches the one provided in the request header, the receiver can be confident that the webhook payload is authentic and hasn't been tampered with during transmission.
Using webhook signatures is a best practice for ensuring the security and integrity of webhook communications between the provider and the receiver. It protects against attacks such as replay attacks, man-in-the-middle attacks, and spoofing.
For more about verifying webhook signatures, you can checkout our full documentation on signature verification.