Each webhook sent by Loop includes an X-Loop-Signature header.

This header contains a value you can use to verify that the webhook originated from Loop’s system. The value is generated using the SHA256 algorithm.

When you receive a webhook from Loop, use the webhook’s secret to generate a SHA256 HMAC of the request body, encoded as a base64 value. You can find the webhook secret in the Developer Tools page of the Loop Admin (the same place you can create webhook subscriptions).

Compare your calculated HMAC to the value in the X-Loop-Signature header included with the request. If the values match, you can confirm that the webhook came from Loop and has not been tampered with.

Code Samples

const assert = require('assert');
const crypto = require('crypto');
const express = require('express');

const app = express();

app.use(express.raw({
    type: '*/*',
    verify: function(req, _res, buf) {
        if (Buffer.isBuffer(buf)) {
            req.buffer = buf;
        }
    },
}));
app.use(express.json())

app.post('/endpoint', (req, res) => {
  const jsonPayload = JSON.stringify(req.body);

  const hmac = crypto.createHmac('sha256', '<SECRET>') // substitute secret
        .update(req.buffer, 'utf-8')
        .digest('base64');

  const signature = req.get('X-Loop-Signature');

  assert.equal(hmac, signature); // validate match

  res.json({ signature, jsonPayload });
});

app.listen(3000, () => console.log('ready'));