Advanced
Verify webhooks from Nango
Step-by-step guide on how to verify the signatures of webhooks from Nango.
Validate webhook provenance by looking at the X-Nango-Signature
header.
It’s a SHA-256 hash generated using the secret key found in the Environment Settings in the Nango UI.
The webhook signature can be generated with the following code:
import crypto from 'crypto';
const secretKeyDev = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx';
const signature = `${secretKeyDev}${JSON.stringify(payload)}`;
const hash = crypto.createHash('sha256').update(signature).digest('hex');
Only accept a webhook if the X-Nango-Signature
header value matches the webhook signature.
Was this page helpful?