Skip to main content

Webhook Verification

Webhook signature verification ensures that incoming webhooks are genuinely from Pictify and haven’t been tampered with.
Always verify webhook signatures in production. Never skip verification, even for testing.

How It Works

  1. When you create a webhook subscription, Pictify generates a unique signing secret
  2. For each webhook delivery, Pictify creates a signature using HMAC-SHA256
  3. Your server verifies the signature before processing the webhook

Signature Format

The signature is sent in the X-Pictify-Signature header:

Verification Algorithm

  1. Extract components - Parse the timestamp (t) and signature (v1) from the header
  2. Check timestamp - Reject if older than 5 minutes (replay protection)
  3. Compute signature - Calculate HMAC-SHA256(secret, "{timestamp}.{payload}")
  4. Compare - Use constant-time comparison to compare signatures

Implementation Examples

Node.js

Python

Go

Ruby

Framework Integration

Express.js

FastAPI

Rails

Security Best Practices

1. Store Secrets Securely

2. Use Constant-Time Comparison

Always use constant-time comparison to prevent timing attacks:

3. Enforce Timestamp Checks

Replay protection prevents attackers from resending old webhooks:

4. Use HTTPS Only

Always use HTTPS for your webhook endpoint:

5. Log Verification Failures

Monitor for potential attacks:

Troubleshooting

”Invalid signature” Error

  1. Check secret - Ensure you’re using the correct webhook secret
  2. Raw body - Make sure you’re using the raw request body, not parsed JSON
  3. Encoding - The payload must be UTF-8 encoded

”Timestamp too old” Error

  1. Clock sync - Ensure your server’s clock is synchronized (NTP)
  2. Processing delay - If processing takes too long, the webhook may expire
  3. Retry queue - Pictify retries failed webhooks, which may be older

Common Mistakes