Skip to main content

Overview

Every webhook Sigma sends includes a signature in the request headers. You should verify this signature before processing any webhook payload to ensure the request genuinely came from Sigma and was not tampered with. 
x-signature: {your-received-signature}
Always verify the signature before acting on the webhook payload.

How the Signature is Generated

Sigma generates the signature by:
  1. Concatenating your apiKey and apiSecret (with no separator): {apiKey}{apiSecret}
  2. Hashing the concatenated string using the HMAC-SHA256 algorithm, with your businessId as the payload
The result is the signature sent in the x-signature header.

How to Verify the Signature

To verify an incoming webhook:
  1. Retrieve the x-signature value from the request headers
  2. Concatenate your apiKey and apiSecret to form your hash secret
  3. Generate an HMAC-SHA256 hash of your businessId using the hash secret
  4. Compare your generated hash against the received signature — if they match, the webhook is valid
Your businessId is available on the Webhooks page in the Sigma dashboard. 
const crypto = require("crypto");

// Your secret key for generating and verifying signatures
const hashSecret = "{your-api-key}{your-secret-key}";
// Example: 80a2dc85-1o0s-4405-8cc4-08c1f457011b5b5e4b16-4f22-45d2-9poc-5e4e60915719

// Received webhook payload and signature from the request headers
const businessId =
  "{your-business-id}"; /* Extract business ID from webhook page on Sigma dashboard */
const receivedSignature =
  "{your-received-signature}"; /* Extract signature from request headers */

// Function to generate a signature for a given payload
function generateSignature(payload: string) {
  const hmac = crypto.createHmac("sha256", hashSecret);
  hmac.update(payload);
  return hmac.digest("hex");
}

// Validate the received signature
const generatedSignature = generateSignature(businessId);

if (generatedSignature === receivedSignature) {
  console.log(
    "Webhook signature is valid. Proceed with processing the payload."
  );
} else {
  console.log("Webhook signature is invalid. Do not process the payload.");
}