What if I rotate the webhook secret?

During the grace window, deliveries signed with the previous secret may include X-SignalEDI-Signature-Legacy — accept either until grace expires.

Webhook security

Verify signed webhooks

Verify SignalEDI webhook signatures with HMAC-SHA256, timestamp tolerance, and replay protection — Node and Python examples included.

Start free trial API reference

Why signatures matter

Webhook endpoints are public URLs. SignalEDI signs every delivery so you can trust document.validated and document.partner_ack payloads.

Signing scheme

Headers: X-SignalEDI-Timestamp and X-SignalEDI-Signature (sha256=<hex>). Signed string is `${timestamp}.${rawBody}` using your webhook signing secret.

Reject timestamps older than five minutes
Legacy secrets honored during seven-day rotation grace

Node verification

Read the raw request body before JSON parsing — re-serialized JSON will not match the signature.

import crypto from "node:crypto";

function verifySignalEdiWebhook(input: {
  rawBody: string;
  signatureHeader: string;
  timestampHeader: string;
  secret: string;
}): boolean {
  const provided = input.signatureHeader.replace(/^sha256=/i, "").toLowerCase();
  const expected = crypto
    .createHmac("sha256", input.secret)
    .update(`${input.timestampHeader}.${input.rawBody}`, "utf8")
    .digest("hex");
  return crypto.timingSafeEqual(Buffer.from(provided, "hex"), Buffer.from(expected, "hex"));
}

Python verification

Use hmac.compare_digest. Return 401 for failed verification.

import hmac
import hashlib

def verify_signaledi_webhook(raw_body: str, signature: str, timestamp: str, secret: str) -> bool:
    provided = signature.removeprefix("sha256=").lower()
    expected = hmac.new(
        secret.encode(),
        f"{timestamp}.{raw_body}".encode(),
        hashlib.sha256,
    ).hexdigest()
    return hmac.compare_digest(provided, expected)

FAQ

Common questions

X-SignalEDI-Signature, X-SignalEDI-Timestamp, X-SignalEDI-Event, and X-SignalEDI-Delivery-ID. Verify before parsing JSON.

Trust & proof

Built for SMB teams that need API-first EDI, healthcare diligence, and predictable pricing.

SignalEDI keeps the public promise consistent across every route: real-time processing, transparent monthly plans, no per-document fees, QuickBooks-friendly handoffs, and core healthcare X12 workflows on paid plans.

HIPAA-aware handlingBAA path documentedSecure API + webhooksNo per-document fees

Operations teams

“A supplier operations team can see partner setup, validation, exceptions, and QuickBooks handoff in one workspace instead of chasing spreadsheets.”

Healthcare billing

“837, 835, and 270/271 workflows are explained in plain English, with HIPAA-aware handling and a documented BAA review path for diligence.”

Developer teams

“JSON/CSV in and X12 out, with API docs, webhooks, real-time status, and validation responses that make EDI feel like modern infrastructure.”

Preview case studies