Your webhook signing key lets you verify that callback requests are genuinely from DocPipe and have not been tampered with.
Why use a signing key
Without signature verification, any HTTP request to your callback URL could impersonate DocPipe. A signing key lets you cryptographically verify each request.
Generating a signing key
- Go to Settings → Webhook Keys
- Click Generate key
- Copy the key and store it securely in your application’s configuration
Store your signing key securely. Treat it like a password. Never expose it in client-side code or commit it to source control.
Verifying signatures
When DocPipe sends a callback, it includes a signature header computed from the request body using your signing key.
To verify:
- Read the raw request body
- Compute an HMAC-SHA256 hash using your signing key
- Compare the computed hash with the signature in the request header
- Only process the request if they match
See webhooks and callbacks for code examples in multiple languages.
Rotating your key
DocPipe supports zero-downtime key rotation. During rotation, both the primary and secondary key are active, and callback signatures are computed with both.
To rotate your signing key:
- Go to Settings → Webhook Keys
- Click Rotate. This generates a new primary key and demotes the current key to secondary
- Copy the new key and update your application to use it
- Once all integrations are updated, click Complete rotation to remove the old secondary key
During rotation, the X-DocPipe-Signature header includes signatures from both the old and new key, so your existing integration continues to work while you transition.
Plan key rotation during low-traffic periods to minimize the risk of rejected callbacks during the transition.
Revoking your key
To delete your signing key entirely:
- Go to Settings → Webhook Keys
- Click Revoke
Revoking your signing key means callbacks will no longer include a signature header. Your application should be updated to stop verifying signatures before revoking.
