> ## Documentation Index
> Fetch the complete documentation index at: https://docs.subtotal.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Verifying signatures

> Verify that webhook requests are from Subtotal and have not been tampered with.

You should verify the authenticity of each webhook request using the following headers.

| Key                  | Type   | Description                          |
| :------------------- | :----- | :----------------------------------- |
| X-Subtotal-Signature | string | HMAC of payload using shared secret  |
| X-Subtotal-Timestamp | string | The timestamp of the webhook request |

### Step 1: Prepare the `signed_payload` string

Concatenate the following to create the `signed_payload` string:

* The timestamp (as a string)
* A `.` character
* The request body (as a string)

### Step 2: Compute the `expected_signature`

Compute the `expected_signature` using the HMAC-SHA256 hash function.

Use the webhook destination's `signing_secret` as the key, and use the `signed_payload` string as the message.

<Note>
  The `signing_secret` is obtained when a new webhook destination is created in the Subtotal Dashboard.
</Note>

### Step 3: Compare the signatures

Compare the `expected_signature` to the `X-Subtotal-Signature`.

To prevent replay attacks, compare the received timestamp to the current time and reject requests outside your tolerance window.

To protect against timing attacks, use a constant-time string comparison.
