1. Webhooks
  • HMS Sovereign API
  • Get started
    • Authentication
    • Introduction
    • Quickstart
  • Core concepts
    • Assistants
    • Calls
    • Phone Numbers
    • Webhooks
  • Platform
    • Billing & Credits
    • EU Data Sovereignty
    • Voice Selection
    • Whitelabel Portal
  • Webhooks
    • Assistant Request
    • End of Call Report
    • Webhooks Overview
    • Webhook Security
    • Status Update
    • Tool Calls
  • Configuration
    • Analysis Templates
    • Custom Tools
    • SIP Trunks
    • Tool Templates
  • Features
    • AI Generation
    • Autonomous Silence Handling
    • Call Analysis
    • Call Transfers
    • Campaigns Setup
    • Outbound Campaigns
    • Voicemail Detection
    • Web Calls
  • Integrations
    • BYOK Setup
    • Provider Pricing
    • xAI Grok Integration
  • Reference
    • Error Codes
    • Rate Limits
    • Troubleshooting
Documentation
API Reference
Documentation
API Reference
Book a meeting
Linkedin
Github
  1. Webhooks

Webhook Security

When you configure a webhook_secret on your assistant, HMS Sovereign signs all webhook requests. You should verify these signatures to ensure requests come from HMS Sovereign.

Signature Format#

HMS Sovereign uses HMAC-SHA256 to sign webhooks. The signature is included in the X-Webhook-Signature header.

How It's Calculated#

message = timestamp + "." + raw_request_body
signature = HMAC-SHA256(secret, message)

Verification Examples#

Python#

Node.js#

Go#

PHP#

Best Practices#

1.
Always verify in production - Never skip signature verification in production
2.
Use timing-safe comparison - Prevent timing attacks with constant-time comparison
3.
Check timestamp freshness - Optionally reject requests older than 5 minutes to prevent replay attacks
4.
Store secret securely - Use environment variables, not hardcoded values
5.
Log verification failures - Monitor for suspicious activity

Timestamp Validation#

Optionally validate the timestamp to prevent replay attacks:
See WebhookHeaders Schema for header details.
Modified at 2026-03-17 10:59:50
Previous
Webhooks Overview
Next
Status Update
Built with