Webhook Endpoints

Verifying Webhook Signatures

All webhook requests include an X-RBS-Signature header. Verify this signature using your webhook secret:

// Node.js example
const crypto = require('crypto');

function verifySignature(payload, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}