Verifying a Webhook Request - Scalev Documentation

To authenticate webhook requests from Scalev, verify the signature included in the X-Scalev-Hmac-Sha256 header. This signature is created using your Signing Secret as the key in an HMAC-SHA256 algorithm. To validate each request:

Extract the signature from the X-Scalev-Hmac-Sha256 header
Calculate your own HMAC-SHA256 digest using your Signing Secret
Compare your calculated digest with the received signature

If the signatures match, you can trust that the webhook came from Scalev and wasn’t tampered with. Here are code examples to help you validate the webhook:

Node.js

// Using crypto-js dependency
const HMACSHA256 = require("crypto-js/hmac-sha256");
const BASE64 = require("crypto-js/enc-base64");
const calculatedHmac = BASE64.stringify(
  HMACSHA256("JSON-BODY-HERE", "YOUR-SIGNING-SECRET-HERE"),
);
console.log(calculatedHmac);

Python

import hmac
import base64
json_body = 'JSON-BODY-HERE'.encode('utf-8')
signing_secret = 'YOUR-SIGNING-SECRET-HERE'.encode('utf-8')
calculated_hmac = base64.b64encode(
   hmac.new(signing_secret, json_body, 'sha256').digest()
).decode('utf-8')
print(calculated_hmac)

Webhooks

​Node.js

​Python

Node.js

Python