Configure Webhook Signing

Signing lets receivers verify that a delivery came from InstaWebhook and was not modified in transit. The signature payload is:

timestamp.event_id.raw_body

Use a timestamp tolerance in the receiver to reduce replay risk. Rotate signing secrets when access changes.

import crypto from "crypto";

export function verifyInstaWebhookSignature({
  secret,
  timestamp,
  eventId,
  rawBody,
  signature,
}: {
  secret: string;
  timestamp: string;
  eventId: string;
  rawBody: string;
  signature: string;
}) {
  const signedPayload = `${timestamp}.${eventId}.${rawBody}`;
  const expected = crypto
    .createHmac("sha256", secret)
    .update(signedPayload)
    .digest("hex");

  return crypto.timingSafeEqual(
    Buffer.from(signature, "hex"),
    Buffer.from(expected, "hex")
  );
}