Signature verification API
HookNexus can verify common webhook HMAC signatures so you can validate payloads in one place.
Endpoint: POST https://api.hooknexus.com/api/verify-signature
- Authentication: not required (public utility).
- Content-Type:
application/json
Request body
| Field | Type | Required | Description |
|---|---|---|---|
provider | string | Yes | One of: github, stripe, shopify, slack |
payload | string | Yes | Raw request body as a string (use the exact bytes the provider signed) |
signature | string | Yes | Value from the provider’s signature header (see per-provider below) |
secret | string | Yes | Signing secret (HMAC key) from the provider dashboard |
timestamp | string | No | For Slack, pass X-Slack-Request-Timestamp when verifying v1 signatures |
Response (200 OK)
{ "valid": true, "expected": "...", "actual": "...", "details": "optional diagnostic text"}On verification errors, the handler may still return 200 with valid: false and details explaining the failure.
Providers
Header: X-Hub-Signature-256
Format: sha256=<hex_digest>
curl -X POST https://api.hooknexus.com/api/verify-signature \ -H "Content-Type: application/json" \ -d '{ "provider": "github", "payload": "{\"action\":\"opened\"}", "signature": "sha256=abcdef...", "secret": "your_webhook_secret" }'Use the raw JSON body exactly as received (no re-formatting).
Header: Stripe-Signature
Format: t=<timestamp>,v1=<signature> (pass the full header value as signature)
curl -X POST https://api.hooknexus.com/api/verify-signature \ -H "Content-Type: application/json" \ -d '{ "provider": "stripe", "payload": "{\"id\":\"evt_123\"}", "signature": "t=1492774577,v1=5257a869e7eceb...", "secret": "whsec_..." }'Header: X-Shopify-Hmac-Sha256
Format: Base64 HMAC of the raw body
curl -X POST https://api.hooknexus.com/api/verify-signature \ -H "Content-Type: application/json" \ -d '{ "provider": "shopify", "payload": "{\"id\":123}", "signature": "<base64 from header>", "secret": "your_shopify_shared_secret" }'Headers: X-Slack-Signature, X-Slack-Request-Timestamp
Format: v0=<hex_hmac>
curl -X POST https://api.hooknexus.com/api/verify-signature \ -H "Content-Type: application/json" \ -d '{ "provider": "slack", "payload": "token=xyz&team_id=T1", "signature": "v0=a2114d57b48eac39b9ad...", "secret": "your_signing_secret", "timestamp": "1531420618" }'Include timestamp from X-Slack-Request-Timestamp when you have it.