All the HTTP request to the target url is signed on the header with this algotithm

crypto.createHmac('sha256', token).update(body).digest('hex');


  • token, is the Tilby token used to configure the webhook
  • body, is the body of the event

The use of this security control is not mandatory, but enables external platforms to verify that the HTTP request come from the Tilby cloud.

Did this page help you?