Documentation

Security & HMAC Signing

Every webhook request Savebase sends is signed with HMAC-SHA256 so you can confirm it genuinely came from Savebase and hasn't been tampered with in transit. You should always verify this signature before processing a webhook event.

How Signing Works

Savebase computes the signature by running HMAC-SHA256 over the raw request body using your webhook's Signing Secret as the key. The result is sent in the X-Savebase-Signature header as sha256=<hex-digest>.

Use the raw body

Always compute the HMAC over the raw, unmodified request body bytes — not a re-serialised JSON object. Parsing and re-stringifying JSON can change whitespace and key order, causing signature verification to fail.
HeaderValue format
X-Savebase-Signaturesha256=abcdef0123...
X-Savebase-Eventpost.saved
User-AgentSavebase-Webhook/1.0

Node.js / Express

bash
const crypto = require('crypto');

function verifySignature(rawBody, signatureHeader, secret) {
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(rawBody)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(expected, 'utf8'),
    Buffer.from(signatureHeader, 'utf8')
  );
}

app.post(
  '/savebase-webhook',
  express.raw({ type: 'application/json' }),
  (req, res) => {
    const sig = req.headers['x-savebase-signature'];
    if (!sig || !verifySignature(req.body, sig, process.env.SAVEBASE_WEBHOOK_SECRET)) {
      return res.status(401).send('Invalid signature');
    }
    const event = JSON.parse(req.body);
    console.log('Event:', event.event, event.data.id);
    res.sendStatus(200);
  }
);

Python / Flask

bash
import hmac, hashlib, os
from flask import Flask, request, abort

app = Flask(__name__)
WEBHOOK_SECRET = os.environ['SAVEBASE_WEBHOOK_SECRET']

@app.route('/savebase-webhook', methods=['POST'])
def handle_webhook():
    sig_header = request.headers.get('X-Savebase-Signature', '')
    raw_body = request.get_data()

    expected = 'sha256=' + hmac.new(
        WEBHOOK_SECRET.encode('utf-8'),
        raw_body,
        hashlib.sha256
    ).hexdigest()

    if not hmac.compare_digest(expected, sig_header):
        abort(401)

    payload = request.get_json()
    print('Received event:', payload['event'])
    return '', 200

PHP

bash
<?php
$secret  = getenv('SAVEBASE_WEBHOOK_SECRET');
$rawBody = file_get_contents('php://input');
$sigHeader = $_SERVER['HTTP_X_SAVEBASE_SIGNATURE'] ?? '';
$expected  = 'sha256=' . hash_hmac('sha256', $rawBody, $secret);

if (!hash_equals($expected, $sigHeader)) {
    http_response_code(401);
    exit('Invalid signature');
}

$event = json_decode($rawBody, true);
error_log('Received: ' . $event['event']);
http_response_code(200);

Security Best Practices

  • Respond quickly. Return a 200 OK within 10 seconds. Savebase times out after 10 s and marks the delivery as failed. Offload heavy work to a background job.
  • Never log your signing secret. Treat it like a password. Rotate it in Settings → Webhooks if you believe it has been compromised.
  • Use HTTPS only. Savebase rejects plain HTTP endpoints.
  • Use timing-safe comparison. Always use crypto.timingSafeEqual (Node), hmac.compare_digest (Python), or hash_equals (PHP) — never a plain ===.
  • Idempotency. The same event may occasionally be delivered more than once after retries. Use data.id as an idempotency key to deduplicate.