Skip to main content
When using webhooks, it is a critical security best practice to verify that incoming payloads are actually sent by Solifyn and have not been tampered with or replayed by attackers. Because Solifyn uses Svix as its webhook provider, all signature verification should be handled using the standard, official Svix SDKs or libraries.
[!IMPORTANT] Official Svix Documentation For detailed instructions, security best practices, and troubleshooting tips, visit the official Svix Payload Verification Guide.

Retrieving Your Webhook Secret

Before verifying signatures, you need to obtain the endpoint signing secret from your Solifyn Developer Dashboard:
  1. Navigate to Developer > Webhooks.
  2. Select your webhook endpoint.
  3. Locate the Signing Secret (usually starts with whsec_).

Code Examples

Select your preferred language below to see how to verify webhook signatures using the official Svix packages: 
import { Webhook } from 'svix';
import * as express from 'express';

const app = express();

app.post('/webhook', express.raw({ type: 'application/json' }), (req, res) => {
  const payload = req.body.toString();
  const headers = req.headers as Record<string, string>;
  const secret = 'whsec_...'; // Your Webhook Secret from Solifyn Dashboard

  const wh = new Webhook(secret);
  try {
    // Returns the parsed and verified payload object
    const event = wh.verify(payload, headers);
    console.log('Webhook verified successfully:', event);
    res.status(200).send('OK');
  } catch (err: any) {
    console.error('Invalid signature:', err.message);
    res.status(400).send('Invalid signature');
  }
});