Signature Verification

Verify webhook authenticity using HMAC-SHA256 signature verification. Includes delivery headers, payload examples, and code samples in Python and Node.js.

Webhooks are delivered as POST requests with a JSON body. Each delivery includes these headers:

Webhook payload example

{
  "event": "extraction.complete",
  "delivery_id": "dlv_a1b2c3d4",
  "timestamp": "2024-09-14T10:33:12Z",
  "data": {
    "extraction_id": "ext_8f2k4n1m",
    "document_id": "doc_3j7x9p2q",
    "schema_id": "sch_abc123",
    "status": "complete",
    "confidence": 0.94
  }
}

Verify webhook authenticity by computing an HMAC-SHA256 signature of the raw request body using your webhook secret, then comparing it with the X-Talonic-Signature header.

Python

Node.js

Test vectors

Use these values to verify your signature implementation is correct:

Test inputs

Secret:    whsec_test_secret_do_not_use_in_production
Payload:   {"event":"extraction.complete","delivery_id":"dlv_test123","timestamp":"2026-01-15T10:00:00Z","data":{"extraction_id":"ext_abc","document_id":"doc_xyz","schema_id":"sch_123","status":"complete","confidence":0.95}}
Expected signature: sha256=1e23bdc14b051f268d4fd9544387b51b074186c51c5b6c76ce700956308d168a

Verify with the command line

The test secret above is for development only. Never use it in production. Your real webhook secret is generated when you configure a webhook in the dashboard.

Webhook Events

Retry Policy

Signature Verification

Test vectors

Related