Skip to main content
Every webhook delivery is signed with your webhook’s secret using HMAC-SHA256. Always verify the signature before processing the payload to ensure the request is authentic.

How it works

  1. DroneBundle computes an HMAC-SHA256 hash of the raw JSON request body using your webhook’s secret
  2. The hash is sent in the x-dronebundle-signature header in the format sha256=<hex_digest>
  3. Your server computes the same hash and compares the two values
Always use the raw request body for verification, not a parsed-and-re-serialized version. Re-serializing JSON can change key order or whitespace, which will produce a different hash.

Code examples

import { createHmac, timingSafeEqual } from 'node:crypto';

function verifyWebhookSignature(body, secret, signatureHeader) {
  const expected = createHmac('sha256', secret)
    .update(body)
    .digest('hex');

  const received = signatureHeader.replace('sha256=', '');

  return timingSafeEqual(
    Buffer.from(expected, 'hex'),
    Buffer.from(received, 'hex')
  );
}