> ## Documentation Index
> Fetch the complete documentation index at: https://docs.clicker.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Verifying Webhooks

> When Clicker sends a webhook event to your server, a signature passed in the request headers allows you to verify it's authenticity. It's important that you verify that the header matches the HMAC signature of the request payload signed with your webhook secret to ensure the request originated from Clicker.

What you need to do this:

* The secret generated when first creating the webhook
* The signature in the header `daylight-signature`
* The string of the body included in the request

## Example verification function

```typescript theme={null}
import crypto from 'crypto';

export function verifyDaylightWebhookSignature({
  headerSignature,
  body,
  secret,
}: {
  headerSignature: string | null | undefined;
  body: string;
  secret: string;
}) {
  //Step 1: Extract the timestamp and signatures from the header
  // (the signature var in this case)
  const sigSplit = (headerSignature || '').split(',') || [];

  let timestamp: string | undefined = undefined;
  let signature: string | undefined = undefined;
  for (const element of sigSplit) {
    const [key, value] = element.split('=');
    if (key === 't') {
      timestamp = value;
    } else if (key === 'v1') {
      signature = value;
    }
  }

  if (!signature || !timestamp) {
    throw new Error(`Missing timestamp or signature in ${signature}`);
  }

  // Step 2: Prepare the signed_payload string
  const toSign = `${timestamp}.${body}`;

  //Step 3: Determine the expected signature
  const hash = crypto
    .createHmac('sha256', secret)
    .update(toSign)
      // use base64url instead of base64 to escape equal signs
      // a header ending with an = is invalid!
    .digest('base64url');

  if (hash !== signature) {
    throw new Error(`Incorrect signature value in ${signature}`);
  }

  return true;
}
```