Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.fype.dev/llms.txt

Use this file to discover all available pages before exploring further.

Webhook Security

To ensure that webhook notifications are sent by Fype and not by a malicious third party, you must verify the webhook signature.

How Signature Verification Works

Fype signs every webhook request with a unique X-Fype-Signature header. This signature is generated using your endpoint’s Signing Secret and the raw request body.

1. Get Your Signing Secret

Navigate to Developers > Webhooks in the dashboard and select your endpoint. Copy the secret starting with whsec_.

2. Verify the Signature

We recommend using our official SDKs for signature verification, as they handle the complexities of cryptographic comparison.

Using Node.js SDK

try {
  // Returns true if valid, throws FypeSignatureVerificationError if invalid
  fype.webhooks.verifySignature(
    rawBody,
    headers['x-fype-signature'],
    process.env.FYPE_WEBHOOK_SECRET
  );
  // Proceed with business logic
} catch (err) {
  // Handle invalid signature
  console.error("Invalid signature:", err.message);
}

Using Python SDK

try:
    # Returns True if valid, raises SignatureVerificationError if invalid
    is_valid = fype.webhooks.verify_signature(
        raw_payload=request.body(),
        signature_header=request.headers.get('X-Fype-Signature'),
        secret=os.getenv("FYPE_WEBHOOK_SECRET")
    )
except SignatureVerificationError:
    # Handle invalid signature
    pass

Manual Verification (If not using SDKs)

If you are not using an SDK, follow these steps to verify the signature:
  1. Extract the raw body: Get the raw, unparsed JSON body of the request. Do not use a parsed JSON object, as whitespace differences will cause verification to fail.
  2. Generate the HMAC: Use the SHA256 hashing algorithm and your whsec_ secret as the key.
  3. Compare: Generate the hex digest of the HMAC. Compare it to the value in the X-Fype-Signature header using a constant-time string comparison function to prevent timing attacks.

Best Practices

  • Never Hardcode Secrets: Store your whsec_ secrets in secure environment variables.
  • Verify before Processing: Perform the signature check before executing any business logic or database updates.
  • Use HTTPS: Always use an https:// URL for your webhook endpoints to ensure data is encrypted in transit.
  • IP Whitelisting: While signature verification is sufficient, you may also choose to whitelist Fype’s outgoing IP addresses (contact support for the latest list).