All the HTTP request to the target url is signed on the header with this algotithm

crypto.createHmac('sha256', token).update(body).digest('hex');


  • token, is the Tilby token used to configure the webhook
  • body, is the body of the event

The use of this security control is not mandatory, but enables external platforms to verify that the HTTP request come from the Tilby cloud.