This section will help you understand the basics of webhook security and provide you with the knowledge and tools you need to protect your webhooks from potential security risks.


Every notification sent by Bodyguard is transmitted using HTTPS ONLY. If you try to register a Webhook using HTTP, it will be denied.


The challenge is a way to ensure that you really are the owner of the webhook endpoint. It's a randomly generated string sent in the notification payload.

You MUST send it back in your response to the Notification request.

Secret encryption

This parameter is used to make sure that the communication between Bodyguard and your endpoint is safe and secured.

Using this secret, an HMAC SHA256 hexadecimal digest hash of the notification body is generated. This hash is sent in the Notification request in the X-Hub-Signature header described below.

X-Hub-Signature header

To verify the integrity of a notification payload received from Bodyguard, you can use the X-Hub-Signature header and compare it with your own generated signature. Follow this workflow to generate the signature on your end and validate the request:

  • Create an HMAC SHA256 hex digest of the notification body using the secret encryption key you configured when registering your webhook.
  • Get the X-Hub-Signature header value.
  • Compare the two hashes:
    • If they match, the integrity of the request is valid.
    • Otherwise, the notification request has been corrupted.