Guides

Authorization and Security

Suggest Edits

Every webhook sent by Prembly includes two critical security headers:

  • x-prembly-signature: HMAC-SHA256 (base64 encoded)
  • token: This is a unique webhook identifier

You Must verify the signature before processing any webhook.

Why Verify Webhooks?

without verification, anyone could send the webhooks to your endpoint. Signature verification ensures:

  • The webhook came from Prembly
  • The payload hasn't been tampered with
  • Protection against replay attacks (when combined with token tracking)

How it Works

  1. Prembly generates signature:
  • HMAC-SHA256(payload, your_public_key)
  • Base64 encodes it
  • Sends as an x-prembly-signature header
  1. You Verify:
  • Complete the same signature using your public key
  • Compare with the received signature
  • If they match=webhook is authentic

Updated 1 day ago