Skip to content

Security

Verify the signature

Every delivery carries a Signals-Signature header:

Signals-Signature: t=1700000000,v1=<hex hmac-sha256>

Compute HMAC-SHA256(secret, "<t>.<raw_body>") and compare in constant time. Reject deliveries whose timestamp is more than 5 minutes old.

import hmac, hashlib, time
def verify(secret, raw_body, header, tolerance=300):
parts = dict(p.split("=", 1) for p in header.split(","))
ts, sig = int(parts["t"]), parts["v1"]
if abs(int(time.time()) - ts) > tolerance:
return False
expected = hmac.new(secret.encode(), f"{ts}.".encode() + raw_body,
hashlib.sha256).hexdigest()
return hmac.compare_digest(expected, sig)

Endpoint requirements

Your endpoint URL must be HTTPS and must resolve to a public address. We reject URLs that resolve to private, loopback, link-local, or reserved ranges (an SSRF protection), and we re-check at delivery time to defeat DNS rebinding.