Validate webhook provenance by looking at the X-Nango-Signature header.

It’s a SHA-256 hash generated using the secret key found in the Environment Settings in the Nango UI.

The webhook signature can be generated with the following code:

import crypto from 'crypto';

const secretKeyDev = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx';
const signature = `${secretKeyDev}${JSON.stringify(payload)}`;
const hash = crypto.createHash('sha256').update(signature).digest('hex');

Only accept a webhook if the X-Nango-Signature header value matches the webhook signature.

Was this page helpful?

Use custom field mappingsOverview