Security

Webhook signature verification

Outgoing webhooks now include HMAC signature headers so receiving services can verify the request came from Pushlog.

How it works

Every webhook request includes two headers:

X-Pushlog-Signature: sha256=abc123...
X-Pushlog-Timestamp: 1719849600

Verification example

const crypto = require('crypto');

function verifyWebhook(payload, signature, timestamp, secret) {
  const message = `${timestamp}.${JSON.stringify(payload)}`;
  const expected = crypto
    .createHmac('sha256', secret)
    .update(message)
    .digest('hex');
  
  return `sha256=${expected}` === signature;
}

Replay protection

Timestamp validation prevents replay attacks — reject any webhook where the timestamp is more than 5 minutes old.

Your project-specific webhook secret is available in Project Settings → Integrations.

See our webhook verification docs for complete implementation guides in Python, Ruby, Go, and PHP.

Back to changelog