QUICKSTART
API Quick Start
Authentication
SignString
OAuth
Overview
Getting Started
Scope List
Versioning
Rate Limit
Body Envelope
Request Errors
Try API Endpoints
CHANGELOG
Changelog
Migration Guide
REFERENCE
API Overview
Trackings
Get trackings
get
Create a tracking
post
Get a tracking by ID
get
Update a tracking by ID
put
Delete a tracking by ID
delete
Retrack an expired tracking by ID
post
Mark tracking as completed by ID
post
Get a tracking (Legacy)
get
Update a tracking (Legacy)
put
Delete a tracking (Legacy)
delete
Retrack an expired tracking (Legacy)
post
Mark tracking as completed (Legacy)
post
Couriers
Get user activated couriers
get
Detect courier
post
Get all couriers
get
Last Checkpoints
Get last checkpoint by tracking ID
get
Get last checkpoint (Legacy)
get
Notifications
Get tracking notification by tracking ID
get
Add a notification by tracking ID
post
Remove a notification by tracking ID
post
Get tracking notification (Legacy)
get
Add a notification (Legacy)
post
Remove a notification (Legacy)
post
Estimated delivery date
Batch prediction for the Estimated Delivery Date
post
MODEL
Tracking
Courier
Checkpoint
Notification
ENUM
Additional Tracking Fields
Delivery Statuses
Delivery Sub-statuses
Slug Groups
Events
Confidence Codes
Webhook
Webhook Overview
Webhook Versioning
Webhook Specifications
Webhook Signature
Webhook OAuth 2.0
Webhook Outgoing IPs
Webhook Changelog
OTHERS
Supported Couriers
CSV Upload & CSV Auto-Fetch
Shipment CSV Export
Order CSV Export
SDK
Android SDK
iOS SDK
Java SDK
Node.js SDK
.NET SDK
Python SDK
Ruby Gem
PHP SDK
Golang SDK
Open Source
phone
email-verifier
Support
Contact Support

Webhook Signature

Check for AfterShip's base64-encoded HMAC generated signature to verify all incoming webhook events to avoid replay attacks.


Webhooks includes a calculated digital signature for verification. Each webhook request includes a aftership-hmac-sha256 header. The signature is a base64-encoded HMAC generated using sha256 algorithm with webhook request body and webhook secret of your account.

Each webhook request could be verified by comparing the computed HMAC digest and the attached HMAC digest in header.

The following Node.js example demonstrates the computation of a webhook signature.

preparing...