API Docs

Webhook Signature Verification

Every webhook request is signed using HMAC SHA256.

Signature Details

Property	Value
Algorithm	HMAC SHA256
Signing Secret	Webhook Signing Secret
Message	Raw HTTP request body
Encoding	Base64
Header	`x-marmin-signature`

Always verify using the raw request body (before JSON parsing).

See the right panel for JavaScript and Python examples of computing and verifying the webhook signature.

Signature generation

const crypto = require("crypto");

function verifyWebhookSignature(rawBody, receivedSignature, webhookSecret) {
  const expectedSignature = crypto
    .createHmac("sha256", webhookSecret)
    .update(rawBody)
    .digest("base64");

  return expectedSignature === receivedSignature;
}