Webhook Test

Validate before going live.

Test your webhook endpoint and signature verification without processing a real document.

Test webhook delivery
Must be a reachable HTTPS endpoint
Used to generate the HMAC-SHA256 signature header
Signature Verification (Node.js)
import crypto from 'crypto'

const raw = req.rawBody // Buffer of raw request bytes
const sig = req.headers['x-poldex-signature'] // t=...,v1=...
const secret = process.env.POLDEX_WEBHOOK_SECRET

// Parse timestamp and signature from header
const parts = Object.fromEntries(sig.split(',').map(p => p.split('=')))
const timestamp = parts['t']
const v1 = parts['v1']

// Recompute: HMAC-SHA256 over "<timestamp>.<raw body>"
const expected = crypto
  .createHmac('sha256', secret)
  .update(timestamp + '.')
  .update(raw)
  .digest('hex')

const isValid = crypto.timingSafeEqual(
  Buffer.from(v1, 'utf8'),
  Buffer.from(expected, 'utf8')
)

if (!isValid) return res.status(401).end()
Sample Payload
{
  "job_id": "job_01hx4mz9p3kqa8",
  "status": "complete",
  "schema_id": "commercial_gl",
  "schema_version": "2024-01",
  "result": {
    "policies": [{ "policy_id": "GL-2024-0041" }],
    "coverages": [{ "coverage_type": "Commercial GL",
                    "limit_occ": 1000000 }],
    "facts": [...],
    "conflicts": []
  },
  "credits_captured": 12,
  "delivered_at": "2024-04-10T14:23:11Z"
}
Before Going Live
Verify the signature using your webhook secret before processing any payload
Use crypto.timingSafeEqual for signature comparison — not ===
Parse the raw request body before JSON parsing — use the raw bytes for HMAC
Return 200 immediately. Process the payload asynchronously.