A Hash-based Message Authentication Code (HMAC) combines a secret key with a message digest to prove integrity and authenticity. Webhook systems use HMAC-SHA256 signatures so receivers can detect tampered payloads in transit. Veliro signs lifecycle webhook bodies with a Veliro-Signature header derived from a rotatable shared secret.
HMAC verification requires constant-time comparison in your application code to prevent timing side channels. Store signing secrets in secret managers, rotate them with dual-active periods, and log verification failures for intrusion monitoring.
HMAC is not encryption; it does not hide payload content. Always deliver webhooks over TLS. HMAC proves the sender knew the secret and the body was not altered; TLS protects confidentiality on the wire.
Veliro webhook deliveries include replay APIs and delivery logs so you can reconcile missed events after outages. Treat HMAC verification as mandatory before acting on token suspension, deletion, or cryptogram invalidation events, those drive revenue-impacting state changes in your billing system.
Webhook handlers should return non-2xx only on verification failure or unrecoverable errors; transient DB outages should queue work so Veliro retries do not poison your delivery history.