Glossary
HMAC-SHA256 (webhook signing)
Symmetric signing of webhook payloads
All Scell.io webhooks are HMAC-SHA256-signed with the webhook secret, in the `X-Scell-Signature` header. Verification guarantees the payload originates from Scell.io and was not tampered with. Example: `hmac.create('sha256', secret).update(payload).digest('hex')`.
Code example
import { createHmac, timingSafeEqual } from 'node:crypto';
function verifyWebhook(payload: string, signature: string, secret: string) {
const expected = createHmac('sha256', secret).update(payload).digest('hex');
return timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}