Webhook Signature Verification

Verify incoming webhook payloads to ensure they originate from Nexus.

GET/v2/webhooks/webhook-signature-verificationRequires authentication

Code Example

typescript

import crypto from 'crypto'

function verifyWebhookSignature(
  payload: string,
  signature: string,
  secret: string
): boolean {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex')

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  )
}

// In your webhook handler
app.post('/webhooks/nexus', (req, res) => {
  const signature = req.headers['x-nexus-signature'] as string
  const isValid = verifyWebhookSignature(
    JSON.stringify(req.body),
    signature,
    process.env.WEBHOOK_SECRET!
  )

  if (!isValid) {
    return res.status(401).json({ error: 'Invalid signature' })
  }

  // Process the webhook event
  const event = req.body
  console.log('Received event:', event.type)
  res.json({ received: true })
})

Last updated: April 21, 2026typescript