Webhook signing keys let you verify that callback requests are genuinely from DocPipe and have not been tampered with.
Why use signing keys
Without signature verification, any HTTP request to your callback URL could impersonate DocPipe. Signing keys let you cryptographically verify each request.
Generating a signing key
- Go to Settings → Webhook signing key
- Click Generate key
- Copy the key and store it securely in your application’s configuration
Store your signing key securely. Treat it like a password. Never expose it in client-side code or commit it to source control.
Verifying signatures
When DocPipe sends a callback, it includes a signature header computed from the request body using your signing key.
To verify:
- Read the raw request body
- Compute an HMAC-SHA256 hash using your signing key
- Compare the computed hash with the signature in the request header
- Only process the request if they match
See webhooks and callbacks for code examples in multiple languages.
Rotating keys
To rotate your signing key:
- Generate a new key in settings
- Update your application to accept signatures from both the old and new key
- Once all integrations are updated, remove the old key from your application
Plan key rotation during low-traffic periods to minimize the risk of rejected callbacks during the transition.
