Webhooks

Signatures

Verify webhook signatures and reject replays safely.

Signatures

Webhook signatures use HMAC-SHA256 over raw request body.

Headers

X-Polynion-Event-Id: evt_...
X-Polynion-Timestamp: 2026-06-18T00:00:00.000Z
X-Polynion-Signature: v1=...

Signing string

{timestamp}.{raw_body}

Signature format

v1={hex_hmac_sha256(secret, signing_string)}

Receiver requirements

Use raw request body bytes.
Verify signature before parsing business payload.
Reject unsupported signature version.
Reject timestamp skew greater than 5 minutes.
Reject duplicate event_id already processed.

Minimum verification flow

Read raw body.
Read timestamp and signature headers.
Build signing string.
Compute HMAC with webhook secret.
Constant-time compare against provided signature.
Check timestamp skew.
Check replay store for duplicate event_id.
Only then process event.

Edit this pageorReport an issue

Overview

Overview of the OpenPoly webhook delivery model.

Event envelope

Shared event envelope for all webhook deliveries.