For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Dashboard
How It WorksKnowledge BaseOnboardingVideo TutorialsPMS GuidanceAPI ReferenceRelease Notes
  • Getting Started
    • Introduction
  • Propexo API Concepts
    • Authentication
    • Custom Data Objects
    • Data Fetching Methodology
    • Deleted Records
    • Enabling Properties
    • Filtering Results
    • Integration Cloning
    • Pagination
    • Rate Limiting
    • Records Processed
    • Sorting Results
    • Sync Frequency
    • Sync Schedules
    • Write Requests
  • Webhooks
    • Webhooks Overview
    • Setting Up Webhooks in Propexo
    • Sending a Test Webhook
    • Sequencing and Data Hydration
    • Signed Payloads
Dashboard
LogoLogo
On this page
  • How Signing Works
  • Where to Find Your Webhook Secret
  • Verifying a Webhook Signature in Node.js
Webhooks

Security: Signed Payloads

Was this page helpful?
Previous

Completed Sync

Next
Built with

Propexo does not use static IP addresses for webhook delivery. Instead, we rely on cryptographic signature verification for security. Propexo signs every webhook payload to ensure that the data you receive is authentic and has not been tampered with. This process allows you to verify that the webhook request truly came from Propexo — and not from a malicious third party.

How Signing Works

When Propexo sends a webhook, it includes a signature in the propexo-signature HTTP header. This signature is generated using a secret key unique to your integration. The key is combined with the webhook’s payload and hashed using the HMAC-SHA256 algorithm.

By generating your own signature from the incoming payload and comparing it to the value in the propexo-signature header, you can confirm whether the webhook is genuine.

Where to Find Your Webhook Secret

Your webhook signing secret is stored in your integration settings:

  1. Go to the Webhooks page in the Propexo dashboard.
  2. Click the Settings button for your webhook configuration.
  3. Copy your Webhook Secret.

Keep this secret secure — treat it like a password. If it is ever compromised, rotate it immediately.

While we provide the initial value for the secret, you can modify it at any time by heading to the webhooks section in your dashboard, selecting the relevant webhook, then clicking the three buttons on the right and selecting “Update details”. Otherwise, you can use the “Update a webhook” endpoint.

Verifying a Webhook Signature in Node.js

Below is an example implementation in TypeScript using Node’s built-in crypto module. It uses timingSafeEqual to prevent timing attacks. Please note this example assumes Node 20 or higher.

1import { timingSafeEqual, createHmac } from 'node:crypto'
2
3const createHmacSignature = ({ data, secret }): string => {
4 return createHmac('sha256', secret).update(data).digest('hex')
5}
6
7const compareSignatures = ({ suppliedSignature, data }): boolean => {
8 const generatedSignature = createHmacSignature({ data, secret })
9 const source = Buffer.from(suppliedSignature)
10 const comparison = Buffer.from(generatedSignature)
11 return timingSafeEqual(source, comparison)
12}
13
14return compareSignatures({ suppliedSignature: req.headers['propexo-signature'], data: req.body })