SUPPORT.TWILIO.COM END OF LIFE NOTICE: This site, support.twilio.com, is scheduled to go End of Life on February 27, 2024. All Twilio Support content has been migrated to help.twilio.com, where you can continue to find helpful Support articles, API docs, and Twilio blog content, and escalate your issues to our Support team. We encourage you to update your bookmarks and begin using the new site today for all your Twilio Support needs.

How Segment Computes x-signature for Batched Webhooks?

Question

How does Segment compute the x-signature header for Webhooks (Actions) destinations when batching is enabled? Is the signature generated over the entire batched payload or only the first event? Why do signatures sometimes match for unbatched and batched requests even when the payloads differ?

 

Product

Twilio Segment

 

Environment

Segment Console

 

Answer

For Segment Webhooks (Actions) destinations, the x-signature header is used to verify webhook authenticity. When batching is enabled, Segment computes the x-signature using only the first event in the batch, not the entire HTTP request payload. This means that the signature will be identical for both unbatched and batched requests containing the same first event, even if the batched payload includes additional events or is array-wrapped.

As a result, consumers can only verify the integrity of the first event in a batch using the provided signature. Modifications to other events in the batch will not affect signature validation. This behavior is currently expected and confirmed by Segment engineering, though it is not yet documented publicly.

 

Additional Information 

 

Have more questions? Submit a request
We can’t wait to see what you build.
Powered by Zendesk