Security: Signed Payloads
Propexo does not use static IP addresses for webhook delivery. Instead, we rely on cryptographic signature verification for security. Propexo signs every webhook payload to ensure that the data you receive is authentic and has not been tampered with. This process allows you to verify that the webhook request truly came from Propexo — and not from a malicious third party.
How Signing Works
When Propexo sends a webhook, it includes a signature in the propexo-signature HTTP header. This signature is generated using a secret key unique to your integration. The key is combined with the webhook’s payload and hashed using the HMAC-SHA256 algorithm.
By generating your own signature from the incoming payload and comparing it to the value in the propexo-signature header, you can confirm whether the webhook is genuine.
Where to Find Your Webhook Secret
Your webhook signing secret is stored in your integration settings:
- Go to the Webhooks page in the Propexo dashboard.
- Click the Settings button for your webhook configuration.
- Copy your Webhook Secret.
Keep this secret secure — treat it like a password. If it is ever compromised, rotate it immediately.
While we provide the initial value for the secret, you can modify it at any time by heading to the webhooks section in your dashboard, selecting the relevant webhook, then clicking the three buttons on the right and selecting “Update details”. Otherwise, you can use the “Update a webhook” endpoint.
Verifying a Webhook Signature in Node.js
Below is an example implementation in TypeScript using Node’s built-in crypto module. It uses timingSafeEqual to prevent timing attacks. Please note this example assumes Node 20 or higher.
