Verify the signature using your webhook secret before processing any payload
Validate before going live.
Test your webhook endpoint and signature verification without processing a real document.
Test webhook delivery
Send a signed event.
Verification
Verify the signature before processing.
Use the raw request body for HMAC verification. Return quickly, then process payload work asynchronously.
import crypto from 'crypto'
const raw = req.rawBody // Buffer of raw request bytes
const sig = req.headers['x-poldex-signature'] // t=...,v1=...
const secret = process.env.POLDEX_WEBHOOK_SECRET
// Parse timestamp and signature from header
const parts = Object.fromEntries(sig.split(',').map(p => p.split('=')))
const timestamp = parts['t']
const v1 = parts['v1']
// Recompute: HMAC-SHA256 over "<timestamp>.<raw body>"
const expected = crypto
.createHmac('sha256', secret)
.update(timestamp + '.')
.update(raw)
.digest('hex')
const isValid = crypto.timingSafeEqual(
Buffer.from(v1, 'utf8'),
Buffer.from(expected, 'utf8')
)
if (!isValid) return res.status(401).end(){
"job_id": "job_01hx4mz9p3kqa8",
"status": "complete",
"schema_id": "commercial_gl",
"schema_version": "2024-01",
"result": {
"policies": [{ "policy_id": "GL-2024-0041" }],
"coverages": [{ "coverage_type": "Commercial GL",
"limit_occ": 1000000 }],
"facts": [...],
"conflicts": []
},
"credits_captured": 1,
"delivered_at": "2024-04-10T14:23:11Z"
}Before Going Live
Webhook delivery checklist.
These are the minimum production checks before accepting PolDex job completion events.
Use crypto.timingSafeEqual for signature comparison - not ===
Parse the raw request body before JSON parsing - use the raw bytes for HMAC
Return 200 immediately. Process the payload asynchronously.
Need the webhook contract?
Read the docs for event shape, signing rules, retries, and DLQ behavior.