Signature Verification
Use this page to verify webhook authenticity before you accept or process a payload.
Current Signature Headers
Doqlo sends these headers on webhook requests:
X-Doqlo-EventX-Doqlo-Event-IdX-Doqlo-TimestampX-Doqlo-SignatureUser-Agent: Doqlo-Webhook/1.0
Current signature format:
X-Doqlo-Signature: v1=<hex>X-Doqlo-Timestamp: <unix-seconds>- signing input:
<timestamp>.<raw_body> - algorithm:
HMAC-SHA256
Verification Steps
- Read the raw request body exactly as received.
- Read
X-Doqlo-Timestamp. - Compute
HMAC-SHA256over<timestamp>.<raw_body>with yourwebhook_secret. - Prefix the hex digest with
v1=. - Compare the computed value with
X-Doqlo-Signature. - Reject the request if the values do not match.
Example
timestamp='1710590400'
signature='v1=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef'
secret='your-webhook-secret'
body="$(cat payload.json)"
expected="v1=$(printf '%s' "$timestamp.$body" | openssl dgst -sha256 -hmac "$secret" -binary | xxd -p -c 256)"
test "$signature" = "$expected"
Important Notes
- Use the raw body, not a re-serialized JSON object.
- Verify the signature before you trust the payload contents.
- Store and compare
event_idafter signature verification so retries remain idempotent.