Signature verification

Every webhook SimpleQ sends carries an x-simpleq-signature header containing an HMAC-SHA256 of the raw request body, keyed with the queue's signingSecret. Verify it on every request before processing — without verification, anyone who knows your webhook URL can deliver forged jobs to your worker.

Stub

This page is a stub. Recipes are linking to it. Real content lands soon.

TODO — content

The header name (x-simpleq-signature) and format (sha256=<hex>).
Where to find signingSecret (returned when the queue is created; rotatable from the dashboard).
A reference verification snippet using crypto.timingSafeEqual (Node) — verify against the raw body, not the parsed JSON.
What to do on a failed signature: return 401, do not process.

Signature verification ​

TODO — content ​

Signature verification

TODO — content