Which events are signed?

Production webhooks should be signed, including verification result, badge status, DSR completion, and payment-related events.

Can I verify a parsed JSON body?

Use the raw body for signature calculation. Parsing and re-stringifying JSON can change bytes and break verification.

What if the same event arrives twice?

Use the event ID and idempotency storage so retries do not duplicate actions.

Webhook signatures FAQ — PRAMAAN Help Center

Overview

Webhook signatures let your system verify that an event came from PRAMAAN and was not altered in transit. Treat unsigned or invalid events as untrusted.

What to do

Step 1: Receive the raw request body.

Step 2: Compute the expected HMAC signature with your webhook secret.

Step 3: Compare using a constant-time check before processing the event.

Step 4: Return a 2xx response only after the event is safely accepted or idempotently ignored.

Signature header check

const signature = request.headers.get('x-pramaan-signature');
const rawBody = await request.text();
verifyPramaanSignature(rawBody, signature, process.env.PRAMAAN_WEBHOOK_SECRET);

Frequently asked questions

Next step

Move safely from answer to action.

Build signature verification and idempotency before enabling production webhooks.

Ask PRAMAAN Talk to a human

Was this helpful?

Webhook signatures FAQ