πŸ” Can you trust the data you receive from Webhooks?

You might think so - but should you?

That is where HMAC (Hash-based Message Authentication Code) comes in.
It is a way to ensure that the message you receive has not been tampered with.

But here is the thing: not all systems use it, and even if they do, you have to enforce it!

Here is how it works:

When a system sends you data via a Webhook, it signs the payload with a secret key using HMAC.
This signature is sent alongside the payload.

  • The payload is your message.
  • The signature is the HMAC.
  • The secret key is known only by the sender and receiver.


When you receive the payload, you can use the same secret key to generate the HMAC signature and compare it to the one received.

If they match?
The message is valid, untampered, and from the sender.

If they do not match?
Something went wrong.
Someone might have altered the message, or it may not be from the sender at all.


HMAC does not encrypt the data.
It adds one more layer of trust to the integrity of the message.
But its implementation is fully on you.





Unfortunately, many businesses skip validating Webhook payloads.
Maybe they are trying to deliver value faster, decrease costs, or they simply do not know about it.


And what happens if a malicious actor learns how to send you fake integration messages?
What if you process those messes and corrupt your data?
How much damage could that cause to your business?


Best practice:

Always validate Webhooks payloads if they provide HMAC signatures.
Don’t leave it to chance.
Add an extra layer of trust and security.


Are your Webhooks secure?
Do you know for certain?
Time to double-check!

πŸ”„ Share this post with your team!





I am Enrico πŸ‘‹ and I improve B2B businesses with tech.

What can I help you with, today?




You can easily verify HMAC signatures with Tray.ai
and n8n, Celigo, Make, Workato
and I am sure with many more leading iPaaS vendors!



#Webhooks #Security #integrations #automation #B2B #SaaS #iPaaS



πŸ“Œ How can you explain or understand Webhooks with a… pizza analogy? This is how!