Verifying Webhooks from
Updated this week

This guide will help you verify webhooks, ensuring your data is secure and trustworthy.

Webhooks are crucial for smooth app communication, and verifying them keeps your systems safe. Whether you're new to this or need a reliable method, we'll guide you step by step.

We'll cover setting up OAuth apps and calculating digital signatures. By the end, you'll confidently verify webhooks in different programming languages. Let's get started to secure your webhook data.

Step 1: Obtain the Secret String from Creating an OAuth App

  • Start by creating an OAuth app as shown in this guide.

  • Follow the steps to get the secret string, like the one in the screenshot below.

Step 2: Set Up a Webhook for the Callback URL

  • Create a webhook to get important data from This helps information flow smoothly into your system.

  • Go to this link: Webhooks Documentation for detailed instructions.

  • Make sure your webhook uses an HTTPS URL with a valid SSL certificate for secure data transfer.

  • Be careful with the structure of your data (JSON or XML). It depends on the webhook event, so it can vary.

By following these steps, you'll set up a strong webhook for secure and organized data transfer from to your system.

Step 3: Receive Webhook Requests

Once you've registered, helps by sending messages to your chosen web address whenever something important happens.

This way, you get quick updates and important info. In this part, we'll talk about how this works and why it's important to have the right setup with secure certificates.

Step Details:

  • Register an Endpoint: Once your endpoint is registered with, communication is established.

  • Event-Triggered Requests: sends HTTP POST requests whenever specific events occur, ensuring real-time updates.

  • Data Parameters: These requests contain JSON or XML data relevant to the event, enabling effective responses.

  • SSL Security: SSL certificates are verified for secure data transmission, safeguarding your interactions.

  • Server Configuration: Ensure your server supports HTTPS and has a valid SSL certificate for reliable data reception.

Receiving webhooks from involves a systematic process of event-triggered HTTP POST requests with secure SSL transmission, ensuring effective and secure communication.

Step 4: Verify the Webhook

Before responding to a webhook, it's essential to make sure the webhook is sent from This verification process involves calculating a digital signature.

  • Calculate the Digital Signature: In every webhook request, you'll find a JUDGEME-HMAC-SHA256 header. This header is meticulously generated using the secret key derived from the OAuth app mentioned earlier, in conjunction with the data embedded within the request.

  • Compute the HMAC Digest: Apply the designated algorithm for computing the HMAC digest. Refer to the provided code examples below for practical implementation guidance.

  • Compare and Confirm: The crux of the verification lies in comparing the computed HMAC digest with the value encapsulated within the JUDGEME-HMAC-SHA256 header. A successful match unequivocally indicates that the webhook's source is


Depending on your web server's configuration, the header name can be automatically changed to HTTP_X_JUDGEME_HMAC_SHA256 or X-Judgeme-Hmac-SHA256. To ensure thorough inspection, check for all headers within the request, particularly if our header isn't readily identifiable.

Ruby Code Example:

# Demonstrating webhook verification using Ruby and the Sinatra web framework:

require 'rubygems'
require 'base64'
require 'openssl'
require 'sinatra'
require 'active_support/security_utils'

# Your app's API secret key, accessible from OAuth app creation in step 1. For production, use an environment variable to safeguard the key.

API_SECRET_KEY = 'my_api_secret_key'

helpers do
# Compare calculated HMAC digest based on API secret key and request contents with reported HMAC in headers
def verify_webhook(data, hmac_header)
calculated_hmac = OpenSSL::HMAC.hexdigest(digest, API_SECRET_KEY, data)
ActiveSupport::SecurityUtils.secure_compare(calculated_hmac, hmac_header)

# Respond to HTTP POST requests sent to this web service
post '/' do
data =
verified = verify_webhook(data, env["JUDGEME-HMAC-SHA256"])
halt 401 unless verified
# Process webhook payload
# ...

PHP Code Example:

# Demonstrating webhook verification using PHP:

define('API_SECRET_KEY', 'my_api_secret_key'); // Your app's API secret key

function verify_webhook($data, $hmac_header)
$calculated_hmac = hash_hmac('sha256', $data, API_SECRET_KEY);
return hash_equals($hmac_header, $calculated_hmac);

$hmac_header = $_SERVER['JUDGEME-HMAC-SHA256'];
$data = file_get_contents('php://input');
$verified = verify_webhook($data, $hmac_header);

error_log('Webhook verified: '.var_export($verified, true)); // Check error.log to see the result

if ($verified) {
# Process webhook payload
# ...
} else {

Python Code Example:

# Demonstrating webhook verification using Python and the Flask framework:

from flask import Flask, request, abort
import hmac
import hashlib
import base64

app = Flask(__name__)

API_SECRET_KEY = 'my_api_secret_key' # Your app's API secret key

def verify_webhook(data, hmac_header):
computed_hmac ='utf-8'), data, digestmod=hashlib.sha256).hexdigest()
return hmac.compare_digest(computed_hmac, hmac_header)

@app.route('/webhook', methods=['POST'])
def handle_webhook():
data = request.get_data()
verified = verify_webhook(data, request.headers.get('JUDGEME-HMAC-SHA256'))

if not verified:

# Process webhook payload
# ...

return ('', 200)

These code examples showcase how to verify webhooks using different programming languages (Ruby, PHP, and Python) along with their respective frameworks.

By following these examples, you can implement webhook verification for enhanced security and accurate data processing.

Did this answer your question?