Webhook Security

When you build event-driven integrations, your webhook endpoints are publicly accessible - which means anyone on the internet can send requests to them. HMAC (hashed message authentication code) is the recommended way to verify that incoming requests are legitimate.

How HMAC works

HMAC generates a hash from the request body and a shared secret key. Before your source application sends a webhook request, it hashes the payload with the secret key and includes the resulting hash as a request header. When Prismatic receives the request, it hashes the body with the same key and compares the two hashes. If they match, the request is legitimate.

The secret key is never sent in the payload - it's only used to generate and validate the signature. This means an attacker who intercepts a request cannot forge a valid hash without the key.

Using HMAC in Prismatic

For apps that don't have an app-specific connector, you can use the built-in HMAC Webhook Trigger from the Hash component. It handles validation automatically when:

The request body is hashed with a string secret key
The hash is included as a request header

If you'd like to wrap HMAC logic into a reusable component, you can build a custom webhook trigger.

Learn more

For a deeper explanation of HMAC, including code examples in Node.js, Python, PHP, and .NET, see What is HMAC?

How HMAC works​

Using HMAC in Prismatic​

Learn more​

How HMAC works

Using HMAC in Prismatic

Learn more