> ## Documentation Index
> Fetch the complete documentation index at: https://docs.doczilla.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Securing your webhook

> Check the webhooks signature to prevent downgrade attacks.

<Steps>
  <Step title="Get your webhook secret">
    Log in to Doczilla and grab your webhook secret key from the organizations settings page.
  </Step>

  <Step title="Get the header">
    The `x-doczilla-signature` header is included in each webhook call containing a signature that you
    can verify.

    Doczilla generates signatures using a hash-based message authentication code (HMAC) with SHA-256. To prevent
    [downgrade attacks](https://en.wikipedia.org/wiki/Downgrade_attack).
  </Step>

  <Step title="Verify the signature with raw body">
    To verify your webhook simply re-create the signature with your webhook secret and the raw body.

    See also [Webhook event](/api-reference/webhook-event) for the full event payload.

    #### Examples

    <CodeGroup>
      ```javascript Express + Node.js SDK theme={null}
      import Doczilla from '@doczilla/node'
      import express from 'express'

      const doczilla = new Doczilla('doczilla-...')

      // Set your webhook secret here
      const webhookSecret = 'whsec-...'

      const app = express()

      // Match the raw body to content type application/json
      app.post(
        '/webhook',
        express.raw({ type: 'application/json' }),
        (request, response) => {
          const signature = request.headers['x-doczilla-signature']

          try {
            const payload = doczilla.webhook.verifyPayload(request.body, signature, webhookSecret)

            // Do something with the generated document
            console.log(payload)

            // Return a response to acknowledge receipt of the event
            response.json({ received: true })

          } catch (err) {
            response.status(400).send('Signature invalid!')
          }
        }
      )

      app.listen(4242, () => console.log('Running on port 4242'))
      ```

      ```javascript Node.js theme={null}
      import crypto from 'node:crypto'

      const payloadSignature = crypto
        .createHmac('sha256', webhookSecret)
        .update(rawBody, 'utf8')
        .digest('hex')

      if (payloadSignature === signature) {
        // Valid
      }
      ```
    </CodeGroup>
  </Step>
</Steps>
