Verifying webhooks
How Nolixan verifies inbound webhook signatures, and how to verify what it forwards to you.
Inbound verification
When a provider posts to a connection's webhook endpoint, Nolixan verifies the signature before trusting the event. Providers with a dedicated handler (e.g. GitHub, Slack) are checked with that provider's scheme; otherwise a generic HMAC-SHA256 check runs against the secret stored on the connection.
The signature is read from the first present of these headers —
x-hub-signature-256, x-signature-256, x-webhook-signature, x-signature, x-hub-signature —
with any sha256= prefix stripped, and compared in constant time (hmac.compare_digest) to guard
against timing attacks.
The check is fail-closed: if a signing secret is configured and the signature is missing or wrong,
the request is rejected with 401. If no secret is configured, behavior depends on
WEBHOOK_REQUIRE_SIGNATURE — when set, unsigned events are rejected; otherwise they're permitted. Either
way the event is still persisted and rejections are recorded with a reason, so failures are visible in
the trail.
Verifying what Nolixan forwards to you
When Nolixan forwards an event to your subscription's forward_url, it signs the payload with that
subscription's signing_secret (set when you create the subscription). Verify it on
your side by computing HMAC-SHA256 over the raw request body with your secret and comparing — in constant
time — to the signature header on the forwarded request.