Nolixan

Verifying webhooks

How Nolixan verifies inbound webhook signatures, and how to verify what it forwards to you.

Inbound verification

When a provider posts to a connection's webhook endpoint, Nolixan verifies the signature before trusting the event. Providers with a dedicated handler (e.g. GitHub, Slack) are checked with that provider's scheme; otherwise a generic HMAC-SHA256 check runs against the secret stored on the connection.

The signature is read from the first present of these headers — x-hub-signature-256, x-signature-256, x-webhook-signature, x-signature, x-hub-signature — with any sha256= prefix stripped, and compared in constant time (hmac.compare_digest) to guard against timing attacks.

The check is fail-closed: if a signing secret is configured and the signature is missing or wrong, the request is rejected with 401. If no secret is configured, behavior depends on WEBHOOK_REQUIRE_SIGNATURE — when set, unsigned events are rejected; otherwise they're permitted. Either way the event is still persisted and rejections are recorded with a reason, so failures are visible in the trail.

Verifying what Nolixan forwards to you

When Nolixan forwards an event to your subscription's forward_url, it signs the payload with that subscription's signing_secret (set when you create the subscription). Verify it on your side by computing HMAC-SHA256 over the raw request body with your secret and comparing — in constant time — to the signature header on the forwarded request.

On this page