Validating webhooks in express.js

samsam Member

It took me a little while to figure it out from the node.js code sample so I thought I'd leave this here in case anyone else was struggling with it.

const express = require('express');
const crypto = require('crypto');

// Create a new instance of express
const app = express();

// Set up a raw bodyparser to read the webhook post
const bodyParserRaw = require('body-parser').raw({
    type: '*/*',

function webhookValidator (req, res, next) {
    // get the header signature from the webhook request
    const givenSignature = req.headers['x-kc-signature'];

    // throw error if it's missing
    if (!givenSignature) {
        console.log('Missing signature');
        return res.status(409).json({
            error: 'Missing signature'

    // create HMAC from the raw request body
    let hmac = crypto.createHmac('sha256', [your-webhook-secret-key]);

    // get a base64 hash from HMAC
    let hash ='base64');

    // check validity with timingSafeEqual
    let webhookValid = false;
    try {
        webhookValid = crypto.timingSafeEqual(Buffer.from(givenSignature, 'base64'), Buffer.from(hash, 'base64'));
    } catch (e) {
        webhookValid = false

    // return validity
    if (webhookValid) {
        return next();
    } else {
        console.log('Invalid signature');
        return res.status(409).json({
            error: 'Invalid signature'

// create a route and pass through the bodyparser and validator'/webhook', bodyParserRaw, webhookValidator, ( req, res, next ) => {
    // If execution gets here, the HMAC is valid
    console.log('webhook is valid');


Sign In or Register to comment.