Recover
...
API Reference
Resources
Webhook Signature Verification
4 min
overview code examples that can be used to verify a webhook signature using a signing key python \# python import hashlib import hmac from time import time def verify webhook signature(body str, headers dict, signing key str) > bool 	now = int(time()) 	incoming signature = headers get("x butter webhook signature") 	expires at = headers get("x butter webhook expiration") 	message = f"{body}+{expires at}" encode("utf 8") 	signature = hmac new(signing key encode("utf 8"), message, hashlib sha256) hexdigest() 	if signature != incoming signature 	 return false 	if expires at < now 	 return false 	return true javascript // javascript const crypto = require('crypto'); function verifywebhooksignature(body, headers, signingkey) { 	const now = math floor(new date() gettime()/1000); 	const expiresat = headers\["x butter webhook expiration"]; 	const incomingsignature = headers\["x butter webhook signature"]; 	const hmac = crypto createhmac('sha256', signingkey); 	const data = hmac update(buffer from(`${body}+${expiresat}`)); 	const signature = data digest('hex'); 	if(signature != incomingsignature) return false; 	if(expiresat < now) return false; 	return true; } go // go package main import ( 	"crypto/hmac" 	"crypto/sha256" 	"encoding/hex" ) func verifywebhooksignature(body string, headers map\[string]string, signingkey string) bool { 	now = int(time now() unix()) 	incomingsignature = headers\["x butter webhook signature"] 	expiresatstr = headers\["x butter webhook expiration"] 	expiresat, err = strconv atoi(expiresatstr) 	if err != nil { 	 return false 	} 	message = string(body) + "+" + expiresatstr 	h = hmac new(sha256 new, \[]byte(signingkey)) 	h write(\[]byte(message)) 	signature = hex encodetostring(h sum(nil)) 	if signature != incomingsignature { 	 return false 	} 	if expiresat < now { 	 return false 	} 	return true }
Updated 16 Jun 2025
Did this page help you?