Imprint provides signed webhooks to ensure authenticity and verify that the webhook requests originate from our servers. You’ll receive a unique event signing token while enrolling in event notifications, and each event request includes a signature in the X-IMPRINT-HMAC-SIGNATURE header.

Header Format

The X-IMPRINT-HMAC-SIGNATURE header consists of two parts:

  • Timestamp (t) – the time the request was sent, represented as milliseconds since January 1, 1970 (Unix epoch).

  • Signature (s) – the cryptographic hash used to verify the request.

These values are separated by a comma, as shown in the example below:

t=1740779129,s=d3d12f37e9ccb686313322da672c3dbc19176d2bfbd29f987923b5784cd6ae7d

Verify signature

1

Extract the timestamp and signature

  • Split the X-IMPRINT-HMAC-SIGNATURE header at the comma (,), which separates the timestamp and signature.

  • Then, split each part at the equals sign (=) to extract the respective values.

2

Construct the message to sign

  • Concatenate the timestamp , a period (.), and the raw POST body as a string
{"hello": "world", "amount": 5000}

and the timestamp is 1723493048949, the message to sign would be:

1723493048949.{"amount":5000,"hello":"world"}
3

Compute the expected signature

  • Use the signing token you were provided during event enrollment (hashed with SHA-256) to generate a Hash-based Message Authentication Code (HMAC).

  • Apply HMAC using the SHA-256 algorithm to the message created in Step 2.

4

Compare signatures

  • Compare the computed signature with the s value from the X-IMPRINT-HMAC-SIGNATURE header.

  • If they match, the request is authentic and was sent by Imprint.