> ## Documentation Index > Fetch the complete documentation index at: https://docs.clicker.xyz/llms.txt > Use this file to discover all available pages before exploring further. # Validate Destination > Validate and test the functionality of your receiving endpoing by calling this endoint. Upon receiving this POST, we will make two requests to the destination URL: - one without a signature - one with a valid "Daylight-Signature" header. Each request will contain an example feed item, allowing you to test parsing and validation. To receive a successful response from this request, your receiving endpoint must return a non-2xx response to the invalid request and a 2xx response to the valid one. When a webhook alert pings your server, we provide a signature to verify that the alert is coming from us. This signature should match a hash of the incoming request's body. To perform this verification, you need: * The secret generated when first creating the webhook * The signature in the header daylight-signature * The string of the body included in the request ## Example verification function ```ts theme={null} import crypto from "crypto"; export function verifyDaylightWebhookSignature({ headerSignature, body, secret, }: { headerSignature: string | null | undefined; body: string; secret: string; }) { //Step 1: Extract the timestamp and signatures from the header // (the signature var in this case) const sigSplit = (headerSignature || "").split(",") || []; let timestamp: string | undefined = undefined; let signature: string | undefined = undefined; for (const element of sigSplit) { const [key, value] = element.split("="); if (key === "t") { timestamp = value; } else if (key === "v1") { signature = value; } } if (!signature || !timestamp) { throw new Error(`Missing timestamp or signature in ${signature}`); } // Step 2: Prepare the signed_payload string const toSign = `${timestamp}.${body}`; //Step 3: Determine the expected signature const hash = crypto .createHmac("sha256", secret) .update(toSign) // use base64url instead of base64 to escape equal signs // a header ending with an = is invalid! .digest("base64url"); if (hash !== signature) { throw new Error(`Incorrect signature value in ${signature}`); } return true; } ``` ## OpenAPI ````yaml POST /v1/webhooks/feed/{uid}/validate openapi: 3.0.0 info: version: 1.0.0 title: Daylight.xyz API description: >- Welcome to the Daylight API! API endpoints require a Daylight partner API key passed in the HTTP Authorization header. servers: - url: https://api.clicker.xyz security: - {} - bearerAuth: [] paths: /v1/webhooks/feed/{uid}/validate: post: tags: - Social - Feed, Profiles and Discovery summary: Validate Feed Webhook Destination description: >- Validate and test the functionality of your receiving endpoing by calling this endoint. Upon receiving this POST, we will make two requests to the destination URL: - one without a signature - one with a valid "Daylight-Signature" header. Each request will contain an example feed item, allowing you to test parsing and validation. To receive a successful response from this request, your receiving endpoint must return a non-2xx response to the invalid request and a 2xx response to the valid one. parameters: - schema: type: string format: uuid required: true name: uid in: path responses: '200': description: '200' content: application/json: schema: type: object properties: success: type: boolean error: type: string required: - success '404': description: The item you requested could not be found content: application/json: schema: type: object properties: error: type: string required: - error components: securitySchemes: bearerAuth: type: http scheme: bearer ````