Environment
Onomondo app: Webhooks
Webhook type: Applicable to all
Question
What are Onomondo Signature Headers?
How can I verify that a Webhook request actually comes from Onomondo?
Answer
Onomondo Signature Headers provide a way to cryptographically verify that a Webhook request is authentic and untampered.
Each request includes the header:
X-Onomondo-Signature-256
.It contains a SHA-256 HMAC hash of the payload, using your configured shared secret.
Users can validate the signature to ensure:
The request is from Onomondo.
The payload has not been modified in transit
Cause.
Key points:
Signature format:
sha256=<hex_digest>
.A shared secret must be configured and securely stored on the user’s side.
Signature validation is recommended for all integrations. Existing Webhooks will still work without it, but may be less secure.
Example:
Cause
Webhook security previously relied on IP whitelisting, which was less secure and harder to manage. After user feedback, Onomondo introduced signature-based validation to enhance Webhook integrity and ease of adoption.