| Header | Description |
|---|---|
Content-Digest | SHA-512 hash of the request body, formatted as sha-512=:BASE64: |
Signature-Input | Describes which request components were signed, the creation timestamp, and the key ID. Example: sig=("@target-uri" "content-digest" "content-type" "idempotency-key");created=1718884473;keyid="whsec_abc123" |
Signature | The actual signature over the covered components, formatted as sig=:BASE64: |
Signature-Input matches the whsec_... identifier shown in Settings → Webhooks, where you can also retrieve the public key to verify signatures.
Constructing the signature base
To verify the signature you must reconstruct the same signature base that AccessOwl signed. The procedure follows RFC 9421 §2.5:- For each component listed in
Signature-Input, in order, emit one line formatted as: - Append a final line using the exact string value of the
Signature-Inputheader: - Join all lines with a single newline character (
\n). There is no trailing newline.
@target-uri, content-digest, content-type, idempotency-key.
Example signature base:
@target-uri from the full request URL (including scheme and path) and content-digest directly from the Content-Digest request header. Once assembled, verify the Signature header value against this base using the Ed25519 public key for your webhook endpoint, which is available in Settings → Webhooks.
We recommend using an HTTP Message Signatures library for your language rather than implementing RFC 9421 verification from scratch.