Skip to main content

Webhook Signatures

Kallglot signs all webhook events so you can verify they’re authentic. This prevents attackers from sending fake events to your endpoint.

Signature Header Format

Each webhook request includes a Kallglot-Signature header with the timestamp and signature:

Verification Process

1. Parse the Signature Header

Extract the timestamp and signature from the header:

2. Prepare the Signed Payload

The signature is computed over: {timestamp}.{body}

3. Compute Expected Signature

4. Compare Signatures

Use a constant-time comparison to prevent timing attacks:

5. Check Timestamp

Reject events older than 5 minutes to prevent replay attacks:

Complete Examples

Ruby (Pure)

Ruby on Rails (receiver example)

Go

Node.js / Express

Python / Flask

Webhook Secret

Your webhook signing secret starts with whsec_ and is displayed once when you create a webhook endpoint in the Developer Portal. If you lose your secret:
  1. Go to Developer Portal > Webhooks
  2. Select your endpoint
  3. Click Roll Secret
  4. Update your application with the new secret
When you roll a secret, the old secret remains valid for 24 hours to allow for deployment. After that, only the new secret works.

Troubleshooting

”Invalid signature” errors

  1. Check the secret: Ensure you’re using the correct webhook secret (starts with whsec_)
  2. Check body parsing: The signature is computed on the raw body, not parsed JSON
  3. Check header parsing: Ensure you’re splitting by , then by =

”Timestamp outside tolerance” errors

  1. Check server time: Ensure your server’s clock is synchronized (NTP)
  2. Check for delays: If processing takes too long, the timestamp may expire

Testing signatures locally