Verify webhooks

Knot signs all outgoing webhooks so that you can verify the authenticity of any incoming webhooks to your application.

A message signature is included in the Knot-Signature header. The verification process is optional and is
not required for your application to handle Knot webhooks.

The verification process requires understanding the Hash-based Message Authentication Code (HMAC).

Extract the Signature header

Extract the Knot-Signature HTTP header from any Knot webhook.
The value of the Knot-Signature header is a computed value.

Prepare the hash map

First, collect the following header and body fields into a hash map:

const data = {
  "Content-Length": "178",
  "Content-Type": "application/json",
  "Encryption-Type": "HMAC-SHA256",
  "event": "CARD_UPDATED",
  "session_id": "fb5aa994-ed1c-4c3e-b29a-b2a53222e584"

Build the signature

Now, build the following string, concatenating key-value pairs with |


Finally, using your Knot API secret, you must compute a HMAC signature using SHA256, and Base64 encodes the result.

Then, compare if both signatures are the same.


Keep your secrets, secret!

Secure your API keys, by ensuring your Knot API secret and client_id are not publicly accessible in client side code or saved in version control.