Webhook Signature

Check for AfterShip's base64-encoded HMAC generated signature to verify all incoming webhook events to avoid replay attacks.


Webhooks includes a calculated digital signature for verification. Each webhook request includes a aftership-hmac-sha256 header. The signature is a base64-encoded HMAC generated using sha256 algorithm with webhook request body and webhook secret of your account.

Each webhook request could be verified by comparing the computed HMAC digest and the attached HMAC digest in header.

Here are the sample code snippet of generating a webhook signature with different programming languages.