Verify webhook authenticity and protect your endpoint
Every webhook request includes a signature header that proves it came from TalentScreen. Always verify signatures before processing payloads to prevent spoofing attacks.
TalentScreen signs each webhook with HMAC-SHA256. The signature is sent in the X-TalentScreen-Signature header. Compare the computed signature with the received signature to verify authenticity.
Extract the signature from the header
Read X-TalentScreen-Signature from the request
Compute HMAC-SHA256 of the raw body
Use your signing secret as the key
Compare signatures using constant-time comparison
Prevents timing attacks
Reject requests with invalid signatures
Return 401 Unauthorized
const crypto = require('crypto');
function verifySignature(body, signature, secret) {
const computed = crypto
.createHmac('sha256', secret)
.update(body, 'utf8')
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(computed)
);
}Keep your signing secret confidential. Rotate it immediately if compromised via Settings > Integrations > Webhooks > Rotate Secret.
Was this article helpful?