POST to a public URL. Without verification, you can’t tell a real Nomos delivery from a forged one, and an intercepted payload could be replayed against you later. To prevent this, every webhook is signed with a secret tied to your endpoint and stamped with the time it was sent. Check both before acting on the event.
Each webhook endpoint has its own signing secret. Find it on the endpoint’s
detail page in the Nomos dashboard
under Developer → Webhooks.
1
Parse the header
Each request includes an
X-Nomos-Signature header:t: Unix timestamp (seconds) when Nomos sent the request.v1: HMAC-SHA256 of${t}.${rawBody}, hex-encoded, signed with your endpoint’s secret.
t and v1 out of the header.2
Reject stale timestamps
If
t is more than 5 minutes off your clock, treat it as a replay and stop.3
Recompute the signature
Run
HMAC-SHA256(${t}.${rawBody}, secret) using your stored signing secret
and the raw request body, byte-for-byte.4
Compare the signatures
Compare your computed value to
v1 and reject if they differ. Use a
timing-safe helper (like Node’s timingSafeEqual) instead of ===, so an
attacker can’t learn the signature from how long the comparison takes.