Verify webhook signatures

Every outbound webhook Harmon POSTs to your endpoint carries three headers:

X-Harmon-Event:     order.confirmed
X-Harmon-Delivery:  <uuid>
X-Harmon-Signature: sha256=<hex hmac>

The signature is an HMAC-SHA256 of the exact request-body bytes, keyed by the signing_secret Harmon returned when you created the subscription (revealed once). Verify it over the raw bytes you received - don't re-serialize the JSON first, or the bytes (and the HMAC) won't match.

Verify before you parse

Compute the expected signature and reject the delivery on a mismatch before you json.loads the body. A request that fails verification is not from Harmon.

Try it

Paste a signing secret and a body to see the signature Harmon would send, then verify a signature against them. Everything runs locally - your secret never leaves the browser.

Signing secretRaw request body{"event":"order.confirmed","data":{"order_id":"o_123"}}Computed X-Harmon-Signature

Verify a signature against this secret + body

Tamper with a single character of the body (or the secret) after computing, then re-verify: the result flips to Invalid. That's exactly the check your receiver must perform.

Verify in your stack

# Recompute the signature over the EXACT received bytes and compare.
BODY="$(cat webhook-body.json)"
EXPECTED="sha256=$(printf '%s' "$BODY" \
  | openssl dgst -sha256 -hmac "$SIGNING_SECRET" -hex | sed 's/^.* //')"
# Reject unless "$EXPECTED" equals the X-Harmon-Signature header you received.
echo "$EXPECTED"

Next steps

• Errors - status codes and how reads degrade.
• Quickstart - your first authenticated call.
• API Reference - the webhook subscription operations.