Skip to main content

What are Onomondo Signature Headers?

Signature headers verify Webhook authenticity and integrity using HMAC-SHA256.

Customer-Success avatar
Written by Customer-Success
Updated this week

Environment

  • Onomondo app: Webhooks

  • Webhook type: Applicable to all

Question

  • What are Onomondo Signature Headers?

  • How can I verify that a Webhook request actually comes from Onomondo?

Answer

Onomondo Signature Headers provide a way to cryptographically verify that a Webhook request is authentic and untampered.

  • Each request includes the header: X-Onomondo-Signature-256.

  • It contains a SHA-256 HMAC hash of the payload, using your configured shared secret.

  • Users can validate the signature to ensure:

    • The request is from Onomondo.

    • The payload has not been modified in transit
      Cause.

Key points:

  • Signature format: sha256=<hex_digest> .

  • A shared secret must be configured and securely stored on the user’s side.

Signature validation is recommended for all integrations. Existing Webhooks will still work without it, but may be less secure.

Example:

Cause

Webhook security previously relied on IP whitelisting, which was less secure and harder to manage. After user feedback, Onomondo introduced signature-based validation to enhance Webhook integrity and ease of adoption.

Did this answer your question?