Webhooks

Receive real-time HTTP callbacks for PA events.

Verifying signatures

Each request includes a Pe-Webhook-Signature header. Verify it by computing HMAC-SHA256(secret, "{timestamp}.{body}") and comparing with the v1= value.

// Node.js example
const crypto = require('crypto');

function verify(secret, rawBody, header) {
  const [tPart, v1Part] = header.split(',');
  const timestamp = tPart.replace('t=', '');
  const expected = crypto
    .createHmac('sha256', secret)
    .update(`${timestamp}.${rawBody}`)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(expected),
    Buffer.from(v1Part.replace('v1=', '')),
  );
}