Are the Unify webhook events protected by authentication or security signing?

Yes, Unify webhook events are protected by signature verification. All webhook events sent by Apideck include a cryptographic signature that allows you to verify the authenticity and integrity of the webhook payload.

Apideck signs all webhook events using HMAC SHA-256 with your API key as the secret. Each webhook request includes an x-apideck-signature header that you can use to verify:

• Authenticity - The webhook was sent by Apideck, not a malicious third party

• Integrity - The request body hasn't been tampered with during transmission

When Apideck sends a webhook, it:

• Takes the entire request body (with the payload envelope structure)

• Recursively sorts all object keys alphabetically (maintaining array order)

• Creates an HMAC SHA-256 hash using your API key as the secret key

• Includes the signature in the x-apideck-signature header

To verify a webhook signature on your server:

• Get the x-apideck-signature header from the request

• Get the raw request body (as a string, before JSON parsing)

• Recreate the signature using your API key

• Compare the signatures using a constant-time comparison function

If the signatures match, you can be confident the webhook was sent by Apideck and hasn't been modified.

For detailed implementation examples in Node.js, Python, and PHP, see our [Webhook Signature Verification Guide](https://developers.apideck.com/guides/webhook-signature-verification).

- Use the raw request body: You must verify the signature using the raw request body string before parsing it as JSON. Many frameworks automatically parse JSON bodies, but you need the exact string that Apideck signed.

- Constant-time comparison: Always use a constant-time string comparison function (like crypto.timingSafeEqual in Node.js or hmac.compare_digest in Python) to prevent timing attacks.

- Store your API key securely: Never expose your API key in client-side code or commit it to version control.

While signature verification is the primary security mechanism, you can also use these additional validation methods:

• Unguessable endpoint URLs: Use a unique, unguessable path for your webhook delivery URL (e.g., https://yoursaas.com/api/apideck12345678abc/)

• Header validation: Verify that webhook requests include the expected headers:

- x-apideck-event-type - The type of event being delivered

- x-apideck-idempotency-key - A unique key for deduplication

- x-apideck-signature - The cryptographic signature (included in all webhook events)

• Payload schema validation: Validate that the webhook payload matches the expected structure. See our [API Reference](https://developers.apideck.com/apis) for the schema of each event type.

• Consumer ID validation: The payload includes a consumer_id field that represents the client for which the event was triggered. Validate that this consumer_id matches an actual ID within your system before processing the webhook.

- Webhooks are delivered via POST requests to your configured delivery URL

- Apideck expects an HTTP 200 success response to confirm receipt

- The request body uses a payload envelope structure containing the event data

For complete implementation details and code examples, refer to the [Webhook Signature Verification Guide](https://developers.apideck.com/guides/webhook-signature-verification).