Every webhook Sigma sends includes a signature in the request headers. You should verify this signature before processing any webhook payload to ensure the request genuinely came from Sigma and was not tampered with.
x-signature: {your-received-signature}
Always verify the signature before acting on the webhook payload.
Retrieve the x-signature value from the request headers
Concatenate your apiKey and apiSecret to form your hash secret
Generate an HMAC-SHA256 hash of your businessId using the hash secret
Compare your generated hash against the received signature — if they match, the webhook is valid
Your businessId is available on the Webhooks page in the Sigma dashboard.
const crypto = require("crypto");// Your secret key for generating and verifying signaturesconst hashSecret = "{your-api-key}{your-secret-key}";// Example: 80a2dc85-1o0s-4405-8cc4-08c1f457011b5b5e4b16-4f22-45d2-9poc-5e4e60915719// Received webhook payload and signature from the request headersconst businessId = "{your-business-id}"; /* Extract business ID from webhook page on Sigma dashboard */const receivedSignature = "{your-received-signature}"; /* Extract signature from request headers */// Function to generate a signature for a given payloadfunction generateSignature(payload: string) { const hmac = crypto.createHmac("sha256", hashSecret); hmac.update(payload); return hmac.digest("hex");}// Validate the received signatureconst generatedSignature = generateSignature(businessId);if (generatedSignature === receivedSignature) { console.log( "Webhook signature is valid. Proceed with processing the payload." );} else { console.log("Webhook signature is invalid. Do not process the payload.");}
