Outgoing webhooks now include HMAC signature headers so receiving services can verify the request came from Pushlog.
How it works
Every webhook request includes two headers:
X-Pushlog-Signature: sha256=abc123...
X-Pushlog-Timestamp: 1719849600Verification example
const crypto = require('crypto');
function verifyWebhook(payload, signature, timestamp, secret) {
const message = `${timestamp}.${JSON.stringify(payload)}`;
const expected = crypto
.createHmac('sha256', secret)
.update(message)
.digest('hex');
return `sha256=${expected}` === signature;
}Replay protection
Timestamp validation prevents replay attacks — reject any webhook where the timestamp is more than 5 minutes old.
Your project-specific webhook secret is available in Project Settings → Integrations.
See our webhook verification docs for complete implementation guides in Python, Ruby, Go, and PHP.