verification

Webhook Signatures (HMAC-SHA256)

Mission Control signs every webhook delivery with HMAC-SHA256 over `${timestamp}.${body}`. Receivers verify with @mc/sdk.

Every webhook delivery includes four headers: X-MC-Event-Id, X-MC-Event-Type, X-MC-Timestamp, X-MC-Signature. The signature is HMAC-SHA256 over `${timestamp}.${body}` using the secret returned at webhook creation (shown ONCE).

@mc/sdk exports verifyWebhookSignature() and verifyFromHeaders() — timing-safe compare, configurable replay tolerance (default 5 minutes), reasons enumerated (signature_mismatch, timestamp_outside_tolerance, malformed). Always verify; never trust the body alone.

Related