Verifying webhook signatures
Every webhook POST includes an X-Turtini-Signature header containing an HMAC-SHA256 hex digest of the raw request body, signed with your webhook's signing secret.
To verify on your server:
1. Read the raw request body (before any JSON parsing)
2. Compute HMAC-SHA256(body, yourSigningSecret)
3. Compare the hex digest to X-Turtini-Signature
4. Reject the request if they don't match
This prevents spoofed requests from reaching your system.
You can rotate your signing secret at any time by editing the webhook and clicking "Regenerate". Update your server immediately after rotating.