Signature Verification

Every webhook request from eCourtDate includes an X-ECD-Signature header. This header contains an HMAC-SHA256 signature that you can use to verify the request is authentic and has not been tampered with.

How It Works

eCourtDate computes an HMAC-SHA256 hash of the raw request body using your shared secret
The resulting hex digest is sent in the X-ECD-Signature header
Your server recomputes the hash using the same secret and compares it to the header value

Node.js Example

const crypto = require('crypto');

function verifySignature(payload, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

// Usage in Express middleware
app.post('/webhook', (req, res) => {
  const signature = req.headers['x-ecd-signature'];
  const payload = JSON.stringify(req.body);

  if (!verifySignature(payload, signature, process.env.WEBHOOK_SECRET)) {
    return res.status(401).json({ error: 'Invalid signature' });
  }

  // Process webhook event
  res.json({ received: true });
});

curl Verification Example

You can manually compute a signature to test against your endpoint:

echo -n '{"uuid":"test"}' | openssl dgst -sha256 -hmac "your-shared-secret"

This outputs the hex digest that would appear in the X-ECD-Signature header for the given payload and secret.

caution

Always use constant-time comparison (crypto.timingSafeEqual in Node.js) to prevent timing attacks. Standard string equality checks (===) can leak information about the expected value through response time differences.

Next Steps

Security -- review all available security layers
Implementation Examples -- see a complete server with signature verification built in

How It Works​

Node.js Example​

curl Verification Example​

Next Steps​

How It Works

Node.js Example

curl Verification Example

Next Steps