Skip to content
Bifrost Docs
Docs
Verify Webhook Authenticity with HMAC

Verify Webhook Authenticity with HMAC

Configure HMAC signature verification on a webhook event source

Webhook event sources support HMAC-SHA256 signature verification. When a webhook secret is configured, Bifrost rejects any inbound request whose signature header doesn’t match a digest of the request body.

Configure HMAC Verification

Section titled “Configure HMAC Verification”

  1. Open the webhook event source and scroll to the Authentication section.

    HMAC Settings

  2. Set the shared Webhook Secret, the Signature Header name (e.g. X-Hub-Signature-256), and a Signature Prefix if your provider uses one (e.g. sha256=).

  3. Save. Subsequent inbound requests must carry a valid HMAC signature in the configured header, or they are rejected with 401.

FieldDescriptionExample
Webhook SecretShared secret used as the HMAC keywhsec_abc123...
Signature HeaderHeader carrying the signatureX-Hub-Signature-256
Signature PrefixStripped before comparisonsha256=
Event Type HeaderHeader carrying the event type (optional)X-Event-Type
Event Type FieldBody field carrying the event type (optional)event

Next Steps

Section titled “Next Steps”
Built & designed by shadcn. Ported to Astro Starlight by Adrián UB. The source code is available on GitHub.
Home

About

What is Bifrost? Why Open Source? Versions & Compatibility License (AGPL)

Getting Started

Installation Guide For Non-Developers Build Your First Workflow Create Dynamic Forms Integrations

Core Concepts

Platform Overview Workflows Workflow Registration Forms Apps Tables Knowledge Agents Chat Integrations Events Permissions Scopes

How-To Guides

Reference

Troubleshooting

OAuth Workflow Engine Forms