Verify webhook requests
Learn how to verify webhook requests to ensure they’re coming from Dock.
With signature verification, you can determine if the webhook came from Dock, and has not been tampered with in transit.
All webhooks are delivered with a X-Dock-Signature and X-Timestamp header. Dock generates this header using a secret key that only you and Dock know.
An example header looks like this:
Finding your webhook’s signing secret
You can find your webhook’s signing secret in the Webhook page by clicking on the View Secret Key button:
Make sure to keep this secret safe by only storing it in a secure environment variable (e.g. DOCK_WEBHOOK_SECRET). Do not commit it to git or add it in any client-side code.
Verifying a webhook request
To verify, you can use the secret key to generate your own signature for webhook. If both signatures match then you can be sure that a received event came from Dock.
The steps required are:
- Get the raw body of the request.
- Extract the signature from the
X-Dock-Signatureheader. - Calculate the HMAC of the
Request Method + Target Url + Raw Bodyusing theSHA-256hash function and the secret. - Compare the calculated
HMACwith the one sent in theX-Dock-Signatureheader. If they match, the webhook is verified.
Here’s an example of how you can verify a webhook request in different languages:
Why is signature verification important?
Signature verification is a crucial security measure that protects against request forgery and data tampering. Without verification, malicious actors could send fake webhook events to your endpoint, potentially triggering unauthorized actions.
The HMAC-SHA256 signature verification process ensures that only Dock can generate valid webhook requests and that payloads haven’t been modified in transit. This provides both authentication (confirming the sender is Dock) and integrity (ensuring the message hasn’t been tampered with).