Skip to content

API Reference

Signature verifier

Paste your signing secret, the raw request body, and the X-JE-Signature header. We compute the HMAC client-side and tell you whether your receiver would accept it. Your secret never leaves the browser — no fetch, no telemetry.

What this checks

  1. The header parses as t=<unix>,v1=<hex>.
  2. t is within ±300s of "now" — defends against replay attacks.
  3. v1 === HMAC-SHA256(secret, t + "." + body), compared in constant time.

Mirrors the server-side helper at backend/internal/handlers/webhook_outgoing.go::VerifyWebhookSignature. See the receiver recipe for Node + Python + Go code.

Loading John’s Essentials