Verify Webhooks Requests

Why verify webhooks requests?

Because your endpoint must be publicly accessible, you should verify that the requests are coming from resms.dev and not from a malicious actor.

When you register your webhook endpoint, a secret key is generated (you can find it in the webhook settings).

When a webhook is triggered, the header x-resms-signature-256 is sent. It contains an HMAC-SHA256 hash of the request body using the secret as key.

You can can verify the request by computing the HMAC-SHA256 in your code and comparing it to the value in the header.

If they match, the request is valid.

⚠️

To avoid timing attacks, you should use a constant-time string comparison
(like crypto.timingSafeEqual in Node.js).

Our SDKs provide a helper function to verify the requests.

For comprehensive details, please refer to your preferred SDK’s documentation.

Have feedback, found a bug, or want to suggest a feature?