Skip to main content
Securing your webhook endpoints is strongly recommended to ensure that incoming requests genuinely originate from ParcelTracer.

How Webhooks Are Secured

When you create a webhook, ParcelTracer automatically:
  • Generates a secret key.
  • Signs each webhook payload using HMAC-SHA256 with the secret key.
  • Sends the signature in the X-PT-Webhook-Signature header.

Example of Signature Header

How to Verify the Signature

To ensure the webhook is legitimate: Compute the HMAC-SHA256 hash of the raw request body using your secret key. Compare your computed hash with the signature provided in the header.
Compare the computed digest with the value found in the x-pt-webhook-signature header. If they are equal, it means the request is indeed originating from ParcelTracer.