For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Book a demoLog inStart for free
  • Overview
    • Introduction
    • How it works
    • Quickstart
    • Customer showcase
  • Working with SDKs
    • Project structure
    • Adding custom code
    • Migrating to Replay
    • Capabilities
  • Generators
      • SDK user features
      • Customize your README
      • Customize method names
      • Filter endpoints by audience
      • Server URL templating
      • Webhook signature verification
  • Reference
    • generators.yml
Checking status...
SOC2Soc 2 Type II
© 2026 Fern • Birch Solutions, Inc., a Postman company

Documentation

SDKsDocsAsk FernCLI Reference

API Definitions

OpenAPIAsyncAPIOpenRPCgRPC

Resources

BlogSupportPricing

Company

Brand KitPrivacy PolicyTerms of Service
LogoLogo
Book a demoLog inStart for free
On this page
  • Generated SDK behavior
  • Setting up webhook signature verification
SDK design

Webhook signature verification

||View as Markdown|
Was this page helpful?
Edit this page
Previous

Server URL templating

Next

Configure global headers

When you define webhooks in your API spec, Fern automatically generates utilities that allow your SDK users to verify webhook signatures and ensure events originate from your API.

Fern supports two signature verification methods:

  • Hash-based Message Authentication Code (HMAC) — Symmetric key verification using shared secrets
  • Asymmetric — Public key verification using RSA, Elliptic Curve Digital Signature Algorithm (ECDSA), or Ed25519 keys
Webhook signature verification is currently supported for TypeScript SDK generation only.

Generated SDK behavior

The generated SDK exposes a verifyWebhookSignature utility:

1import { verifyWebhookSignature } from "my-api";
2
3// In your webhook handler
4app.post("/webhooks", (req, res) => {
5  // Verify the signature using your webhook secret
6  const payload = verifyWebhookSignature(req, {
7    secret: process.env.WEBHOOK_SECRET,
8  });
9
10  // Process the verified payload
11  console.log("Received event:", payload);
12
13  res.status(200).send("OK");
14});

Setting up webhook signature verification

Configure signature verification in your API definition. Settings can be applied at the document level (inherited by all webhooks) or per-webhook (overrides document-level settings).

openapi.yml
1x-fern-webhook-signature:
2  type: hmac
3  header: x-webhook-signature
4  algorithm: sha256
5  encoding: hex
6  payload-format:
7    components: [timestamp, body]
8    delimiter: "."
9  timestamp:
10    header: x-webhook-timestamp
11    format: unix-seconds
12    tolerance: 300

For full configuration details, see Webhook signature verification in OpenAPI.