To ensure the authenticity and integrity of webhook payloads, we include a rivo-signature in the headers of each webhook event. The rivo-signature is generated using the SHA-256 hash function.

To validate the webhook payload, follow these steps:

  1. Retrieve the rivo-signature from the webhook headers.
  2. Calculate the SHA-256 hash of the webhook payload using your secret token. (You can view your webhook's secret token by clicking the 'edit' button once it's been created)
  3. Compare the calculated hash with the received rivo-signature.
  4. If the two match, the webhook payload is valid and can be processed.

Here's a code example in JavaScript to demonstrate the verification process:

const crypto = require('crypto');

function verifySignature(payload, secretToken, receivedSignature) {
    const hmac = crypto.createHmac('sha256', secretToken);
    const calculatedSignature = hmac.update(payload).digest('hex');

    return crypto.timingSafeEqual(
        Buffer.from(receivedSignature, 'hex'),
        Buffer.from(calculatedSignature, 'hex')

Make sure to replace secretToken with your actual secret token and payload with the received webhook payload.