Security
Webhooks
Webhook Security
Verify webhook signatures to ensure requests are genuinely from Orbit AI and haven't been tampered with.
Signature Header
Every webhook request includes a signature in the X-Orbit-Signature header:
X-Orbit-Signature: sha256=abc123def456...Verification Example
Here's how to verify the signature in Node.js:
Node.js
const crypto = require('crypto');
function verifyWebhookSignature(payload, signature, secret) {
const expectedSignature = crypto
.createHmac('sha256', secret)
.update(payload, 'utf8')
.digest('hex');
const expected = `sha256=${expectedSignature}`;
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}
// Usage in Express
app.post('/webhook', (req, res) => {
const signature = req.headers['x-orbit-signature'];
const isValid = verifyWebhookSignature(
JSON.stringify(req.body),
signature,
process.env.WEBHOOK_SECRET
);
if (!isValid) {
return res.status(401).send('Invalid signature');
}
// Process webhook...
res.status(200).send('OK');
});Important
Always verify the signature before processing webhook data. Never trust webhook payloads without verification.
Webhook Secret
Your webhook secret is available in your dashboard under Settings → Webhooks. If you suspect it has been compromised, you can regenerate it at any time.
- Store the secret in environment variables
- Never commit secrets to version control
- Rotate secrets periodically for security