Blog / Guides

[08 / 15]

Mar '264 min read

Verifying webhook signatures, in five languages

Every Forecite webhook delivery is signed with HMAC-SHA256. Here's how to verify X-Forecite-Signature in Python, TypeScript, Go, Rust, and Ruby.

Sam Whitaker Developer Advocate

Webhooks arrive over the open internet, so every delivery Forecite sends is signed: the raw body is HMAC-SHA256'd with your endpoint's secret and sent as X-Forecite-Signature. Verifying it takes about five lines in any language — this guide walks through all of them.

The rules that matter

Verify against the raw request bytes, not a re-serialized parse — JSON key order is not guaranteed to survive a round trip. Compare with a constant-time equality function, and use the X-Forecite-Timestamp header to reject stale replays.

Rotate without downtime

Secrets are per-endpoint, so rotation is just: create a second endpoint with a fresh secret, cut traffic over, delete the old one. Your handler never has to accept two secrets at once.