docs.do.dev
send.devWebhooks

Webhook Security

Learn how to verify webhook signatures, handle retries, and secure your webhook endpoints against attacks.

Want to be notified when this feature launches?Let us know

Planned Security Features

Signature Verification

Every webhook includes a signature header:

X-Send-Signature: sha256=abc123...

Verify using your webhook secret:

import crypto from 'crypto';

function verifyWebhook(payload: string, signature: string, secret: string) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');

  return `sha256=${expected}` === signature;
}

Timestamp Validation

Reject webhooks older than 5 minutes:

const timestamp = parseInt(headers['x-send-timestamp']);
const now = Math.floor(Date.now() / 1000);

if (now - timestamp > 300) {
  throw new Error('Webhook too old');
}

Best Practices

  1. Always verify signatures
  2. Use HTTPS endpoints
  3. Respond quickly (< 5 seconds)
  4. Handle retries idempotently
  5. Log webhook events

Coming Soon

Contact us for early access.

Webhooks Overview

Receive real-time notifications for email events

telco.dev API Documentation

Free, open-source phone number lookup API for US and Canadian telephone numbers

On this page

Planned Security FeaturesSignature VerificationTimestamp ValidationBest PracticesComing Soon