Skip to main content
Lettermint signs every webhook delivery so you can verify it came from us and the payload hasn’t been tampered with. This prevents unauthorized parties from forging webhook events to your endpoint.

Why verify signatures?

Without signature verification, anyone who discovers your webhook URL can send fake events to your endpoint. An attacker could:
  • Trigger false payment confirmations to fulfill orders that were never paid
  • Forge delivery events to mark messages as sent when they weren’t
  • Inject malicious data into your systems through crafted payloads
  • Cause your application to take actions based on events that never occurred
Signature verification ensures that only Lettermint can trigger your webhook handlers. It takes just a few lines of code and should always be implemented in production.

How it works

Each webhook delivery includes a cryptographic signature in the X-Lettermint-Signature header. The signature is computed using HMAC-SHA256 with your webhook’s secret and contains:
  • A timestamp to prevent replay attacks
  • A hash of the exact payload we sent
You recompute the same signature on your side and compare. If they match, the webhook is authentic.

Headers

Every webhook delivery includes these HTTP headers:
HeaderDescription
X-Lettermint-SignatureSignature in format t={timestamp},v1={hmac_hex}
X-Lettermint-EventEvent type (e.g., message.delivered, message.bounced)
X-Lettermint-DeliveryDelivery timestamp (Unix seconds)
X-Lettermint-AttemptRetry attempt number (1, 2, 3…)

Signature scheme

The signature format follows the Stripe/Svix convention: 
X-Lettermint-Signature: t=1704067200,v1=5d41402abc4b2a76b9719d911017c592
Where:
  • t = Unix timestamp (seconds) when signature was generated
  • v1 = HMAC-SHA256 hex digest

Signed payload format

We compute the signature over this exact string: 
{timestamp}.{raw_json_body}
The JSON body is serialized with JSON_UNESCAPED_SLASHES and JSON_UNESCAPED_UNICODE flags. You must use the raw request body bytes, not a re-serialized version.

Computing the signature

const crypto = require('crypto')

const timestamp = '1704067200'
const rawBody = '{"id":"abc","event":"message.delivered",...}'
const secret = 'whsec_your_secret_here'

const signedPayload = `${timestamp}.${rawBody}`
const expectedSignature = crypto
  .createHmac('sha256', secret)
  .update(signedPayload)
  .digest('hex')

// expectedSignature should equal the v1 value from the header
Use your webhook secret as-is, including the whsec_ prefix. Do not strip or decode it.

Replay protection

Reject webhooks with stale timestamps to prevent replay attacks. We recommend a 5-minute tolerance window:
  1. Parse the t value from X-Lettermint-Signature
  2. Compare with current time: |now - t| <= 300 seconds
  3. Reject if outside the window
This prevents attackers from capturing and re-sending old webhook payloads.

Implementation examples

const express = require('express')
const crypto = require('crypto')

const app = express()
const SECRET = process.env.LETTERMINT_WEBHOOK_SECRET

// Important: capture raw body for signature verification
app.use(express.json({
  verify: (req, res, buf) => {
    req.rawBody = buf
  }
}))

app.post('/webhooks/lettermint', (req, res) => {
  const signature = req.header('X-Lettermint-Signature') || ''
  const rawBody = req.rawBody

  // Verify signature
  if (!verifySignature(rawBody, signature, SECRET)) {
    return res.status(401).json({ error: 'Invalid signature' })
  }

  // Signature valid - process event
  const event = req.body
  console.log('Verified event:', event.event, event.id)

  res.status(200).json({ ok: true })
})

function verifySignature(rawBody, signature, secret, tolerance = 300) {
  // Parse signature header: t=123,v1=abc...
  const elements = {}
  signature.split(',').forEach(element => {
    const [key, value] = element.split('=', 2)
    if (key && value) elements[key] = value
  })

  if (!elements.t || !elements.v1) {
    return false
  }

  const timestamp = parseInt(elements.t, 10)
  const providedSignature = elements.v1

  // Check timestamp freshness (replay protection)
  const now = Math.floor(Date.now() / 1000)
  if (Math.abs(now - timestamp) > tolerance) {
    console.warn('Timestamp too old or too new')
    return false
  }

  // Compute expected signature
  const signedPayload = `${timestamp}.${rawBody.toString()}`
  const expectedSignature = crypto
    .createHmac('sha256', secret)
    .update(signedPayload)
    .digest('hex')

  // Timing-safe comparison
  return crypto.timingSafeEqual(
    Buffer.from(expectedSignature),
    Buffer.from(providedSignature)
  )
}

app.listen(3000)
Use the “Test Webhook” button in your dashboard to send a test event and verify your signature validation works correctly.

Verification steps

The signature verification process follows these steps:
  1. Extract the X-Lettermint-Signature header and parse t (timestamp) and v1 (signature hash)
  2. Validate timestamp is within 5 minutes of current time to prevent replay attacks
  3. Get raw body as the exact bytes received (not re-serialized JSON)
  4. Compute signature using HMAC-SHA256 over {timestamp}.{rawBody} with your secret
  5. Compare using timing-safe equality to prevent timing attacks
See the implementation examples above for complete, copy-paste code in your language.

Finding your webhook secret

  1. Navigate to Dashboard → Project → Routes → Select Route → Webhooks
  2. Click on your webhook
  3. Copy the secret (starts with whsec_)
  4. Store it securely in your environment variables
Webhook secret in dashboard
You can regenerate the secret at any time by clicking “Regenerate Secret”. This invalidates the old secret immediately.
Never commit webhook secrets to version control. Use environment variables or a secrets manager.

Testing signature verification

Manual test with curl

# This will fail signature verification (as intended)
curl -X POST https://your-endpoint.com/webhooks/lettermint \
  -H "Content-Type: application/json" \
  -H "X-Lettermint-Signature: t=1704067200,v1=invalid" \
  -H "X-Lettermint-Event: webhook.test" \
  -d '{"id":"test","event":"webhook.test","data":{}}'

Using the dashboard

The “Test Webhook” button sends a real, properly-signed webhook to your endpoint. This is the easiest way to verify your implementation.

Production recommendations

Security

  • Always verify signatures in production environments
  • Use HTTPS endpoints - Lettermint only delivers to HTTPS URLs
  • Rotate secrets periodically (e.g., every 90 days)
  • Monitor failed deliveries in the dashboard for potential attacks

Performance

  • Verify then queue - Return 200 immediately after verification, process async
  • Set reasonable timeout - Your endpoint should respond within 30 seconds
  • Implement idempotency - Use event.id to prevent processing duplicates

Error handling

  • Return 401 for signature verification failures
  • Return 200-299 for successful processing
  • Return 500-599 for temporary errors (we’ll retry)
Failed deliveries are automatically retried with exponential backoff. See Introduction for the retry schedule.

Troubleshooting

”Invalid signature” errors

Problem: Signature verification always fails Solutions:
  • Verify you’re using the raw request body, not re-serialized JSON
  • Check that your secret includes the whsec_ prefix
  • Ensure body parsing middleware preserves raw body (see Express example)
  • Confirm timestamp is being parsed as an integer, not string

Timestamp too old warnings

Problem: “Timestamp too old or too new” errors Solutions:
  • Check your server’s system clock is synchronized (use NTP)
  • Increase tolerance to 600 seconds (10 minutes) if clock drift is unavoidable
  • Verify you’re parsing the t parameter correctly as Unix seconds

Works in test but fails in production

Problem: Test webhook works, but real events fail Solutions:
  • Confirm production environment has correct LETTERMINT_WEBHOOK_SECRET
  • Check production logging to see the actual signature format received
  • Verify production isn’t modifying request body (compression, proxies, etc.)

Next steps