With signature verification, you can determine if the webhook came from Dock, and has not been tampered with in transit. All webhooks are delivered with a X-Dock-Signature and X-Timestamp header. Dock generates this header using a secret key that only you and Dock know. An example header looks like this: 
X-Dock-Signature: c9ed6a2abf93f59d761eea69908d8de00f4437b5b6d7cd8b9bf5719cbe61bf46
X-Timestamp: 1716998400

Finding your webhook’s signing secret

You can find your webhook’s signing secret in the Webhook page by clicking on the View Secret Key button:
Webhook signing secret
Make sure to keep this secret safe by only storing it in a secure environment variable (e.g. DOCK_WEBHOOK_SECRET). Do not commit it to git or add it in any client-side code.

Verifying a webhook request

To verify, you can use the secret key to generate your own signature for webhook. If both signatures match then you can be sure that a received event came from Dock. The steps required are:
  1. Get the raw body of the request.
  2. Extract the signature from the X-Dock-Signature header.
  3. Calculate the HMAC of the Request Method + Target Url + Raw Body using the SHA-256 hash function and the secret.
  4. Compare the calculated HMAC with the one sent in the X-Dock-Signature header. If they match, the webhook is verified.
Here’s an example of how you can verify a webhook request in different languages: 
export const POST = async (req: Request,res: Response) => {
  const webhookSignature = req.headers.get("X-Dock-Signature");
  if (!webhookSignature) {
    return res.status(401).send("No signature provided.");
  }

  // Copy this from the webhook details page
  const secret = process.env.DOCK_WEBHOOK_SECRET;
  if (!secret) {
    return res.status(401).send("No secret provided.");
  }

  // Make sure to get the body from the request
  const url = `https://${req.header('host')}${req.path}`;
  const body = JSON.stringify(req.body);
  const payload = `${req.method}\n${url}\n${body}`;

  const computedSignature = crypto
    .createHmac("sha256", secret)
    .update(payload)
    .digest("hex");

  if (crypto.timingSafeEqual(
      Buffer.from(webhookSignature, 'hex'),
      Buffer.from(computedSignature, 'hex'),
    )) {
    return res.status(400).send("Invalid signature");
  }

  // Handle the webhook event
  // ...
};

Why is signature verification important?

Signature verification is a crucial security measure that protects against request forgery and data tampering. Without verification, malicious actors could send fake webhook events to your endpoint, potentially triggering unauthorized actions. The HMAC-SHA256 signature verification process ensures that only Dock can generate valid webhook requests and that payloads haven’t been modified in transit. This provides both authentication (confirming the sender is Dock) and integrity (ensuring the message hasn’t been tampered with).