Skip to Content
DocsWebhooksSecurity

Webhook Security

Secure your webhook integration with signature verification.

Signature Verification

All webhooks should include a signature header for verification:

X-Signature-Key: your-webhook-secret

Lead Warmer verifies this signature against your organization’s webhook secret.

Getting Your Secret

  1. Go to Settings > Webhooks
  2. Click Show Secret
  3. Copy the secret key

Keep your secret secure and rotate it periodically.

Implementing Signature Verification

If you’re building a system that sends webhooks to Lead Warmer, include the signature:

curl -X POST https://api.leadwarmer.net/webhooks/ingest/{id} \
  -H "Content-Type: application/json" \
  -H "X-Signature-Key: your-secret-key" \
  -d '{"email": "lead@example.com"}'

HMAC Signature (Advanced)

For additional security, you can use HMAC-SHA256 signatures:

X-Signature: sha256=abc123...

Generating HMAC Signature

const crypto = require('crypto');
 
function generateSignature(payload, secret) {
  const hmac = crypto.createHmac('sha256', secret);
  hmac.update(JSON.stringify(payload));
  return 'sha256=' + hmac.digest('hex');
}
 
const signature = generateSignature(payload, webhookSecret);

Python Example

import hmac
import hashlib
import json
 
def generate_signature(payload, secret):
    message = json.dumps(payload).encode()
    signature = hmac.new(
        secret.encode(),
        message,
        hashlib.sha256
    ).hexdigest()
    return f"sha256={signature}"

IP Allowlisting

For additional security, allowlist Lead Warmer’s IP addresses:

EnvironmentIP Range
ProductionContact support for current IPs
StagingContact support for current IPs

Best Practices

  1. Always verify signatures - Don’t process unsigned webhooks
  2. Use HTTPS - All webhook URLs must use HTTPS
  3. Rotate secrets - Change your webhook secret periodically
  4. Log failures - Monitor for signature verification failures
  5. Rate limit - Implement rate limiting on your end

Handling Verification Failures

If signature verification fails:

  1. Check your secret key is correct
  2. Verify the signature header name (X-Signature-Key)
  3. Check for encoding issues in the payload
  4. Review webhook logs for details

Rotating Your Secret

To rotate your webhook secret:

  1. Go to Settings > Webhooks
  2. Click Rotate Secret
  3. Update your systems with the new secret
  4. The old secret remains valid for 24 hours

Next Steps

Payload FormatCampaign Rules