Overview

hmac verification for events klavi defaults to using the secretkey and sha 256 hmac algorithm to sign the payload the following parameter will be included in the request header that klavi post to you x klavi signature 11fad26ccd04a59085a738b8e20be5f4e01887a3c5cdc88cd37bf431e843083e x klavi timestamp 1740716924 we recommend that you verify the signature of the webhook tips for best practice create a sha 256 hmac of the request body using your secretkey as the key compare it to the signature included on the x klavi signature header if the two are equal then the request is valid, otherwise, it is spoofed the x klavi signature and x klavi timestamp header gets added to every event and product reports here is an example of signature verification in node js const crypto = require('crypto'); const partnersecret = '{{secret key}}'; router use('/webhook handler', (request, res) => { const body = request body; const signature = crypto createhmac('sha256', partnersecret) update(json stringify(body)) digest('hex'); if (request get('x klavi signature') !== signature) { throw new error('spoofing detected, rejecting webhook'); } });