Verifying Signatures
WaitlistPilot signs every webhook request so you can verify that it actually came from us and hasn't been tampered with.
Why Verify?
Verifying the signature prevents attackers from sending fake webhooks to your server. It ensures:
- Authenticity: The request came from WaitlistPilot.
- Integrity: The payload wasn't modified in transit.
Headers
We include two headers in every request:
X-WaitlistPilot-Signature: The HMAC-SHA256 signature of the request body.X-WaitlistPilot-Event: The event type (e.g.,signup.created).
How to Verify
To verify the signature, you need to:
- Retrieve your Webhook Secret from the dashboard.
- Capture the raw request body (before JSON parsing).
- Compute the HMAC-SHA256 digest of the raw body using your secret.
- Compare your computed signature with the
X-WaitlistPilot-Signatureheader.
Important
Always use a constant-time comparison function to prevent timing attacks.
Example Code
import { headers } from "next/headers";
import crypto from "crypto";
export async function POST(request) {
const body = await request.text();
const signature = headers().get("X-WaitlistPilot-Signature");
const secret = process.env.WAITLIST_WEBHOOK_SECRET;
const expectedSignature = crypto
.createHmac("sha256", secret)
.update(body)
.digest("hex");
if (signature !== expectedSignature) {
return new Response("Invalid signature", { status: 401 });
}
// Process event...
const event = JSON.parse(body);
return new Response("OK", { status: 200 });
}