Webhook Verification
Webhook signature verification ensures that incoming webhooks are genuinely from Pictify and haven’t been tampered with.
Always verify webhook signatures in production. Never skip verification, even for testing.
How It Works
- When you create a webhook subscription, Pictify generates a unique signing secret
- For each webhook delivery, Pictify creates a signature using HMAC-SHA256
- Your server verifies the signature before processing the webhook
The signature is sent in the X-Pictify-Signature header:
Verification Algorithm
- Extract components - Parse the timestamp (
t) and signature (v1) from the header
- Check timestamp - Reject if older than 5 minutes (replay protection)
- Compute signature - Calculate
HMAC-SHA256(secret, "{timestamp}.{payload}")
- Compare - Use constant-time comparison to compare signatures
Implementation Examples
Node.js
Python
Ruby
Framework Integration
Express.js
FastAPI
Rails
Security Best Practices
1. Store Secrets Securely
2. Use Constant-Time Comparison
Always use constant-time comparison to prevent timing attacks:
3. Enforce Timestamp Checks
Replay protection prevents attackers from resending old webhooks:
4. Use HTTPS Only
Always use HTTPS for your webhook endpoint:
5. Log Verification Failures
Monitor for potential attacks:
Troubleshooting
”Invalid signature” Error
- Check secret - Ensure you’re using the correct webhook secret
- Raw body - Make sure you’re using the raw request body, not parsed JSON
- Encoding - The payload must be UTF-8 encoded
”Timestamp too old” Error
- Clock sync - Ensure your server’s clock is synchronized (NTP)
- Processing delay - If processing takes too long, the webhook may expire
- Retry queue - Pictify retries failed webhooks, which may be older
Common Mistakes