Signature validation
Signature validation verifies that an incoming webhook really came from the provider before FlurryPORT stores it. Configure it per endpoint. Invalid requests are rejected with a 401 and kept as flagged captures so you can see what was turned away. Available on every tier, including free.
This is distinct from signatures preserved on replay, which is about forwarding the original signature intact. Validation is about checking the signature on the way in.
Configuration
On an endpoint, set three fields:
- Signing Secret. Pick a
$secrets.NAMEthat holds the provider signing key. See Secrets. - Signing Header. The header carrying the signature.
- Signature Scheme. How the signature is computed and formatted.
Supported schemes
| Scheme | Use for |
|---|---|
| Generic HMAC | GitHub, Shopify, and any sha256= / hex / base64 HMAC-SHA256 header. |
| Svix | Svix and Standard Webhooks. |
| Stripe | Stripe t=,v1= signature header. |
| Square | Square webhook signatures. |
What a rejected capture looks like
When validation fails, FlurryPORT responds to the sender with a 401 and stores the request as a flagged rejected capture. You can open it like any other capture to see the headers and body that arrived, which makes a misconfigured secret or a spoofing attempt obvious instead of invisible.