Skip to main content
With signature verification, you can determine if the postback came from Dub, and has not been tampered with in transit. All postbacks are delivered with a Dub-Signature header. Dub generates this header using a secret key that only you and Dub know. An example header looks like this: 
Dub-Signature: c9ed6a2abf93f59d761eea69908d8de00f4437b5b6d7cd8b9bf5719cbe61bf46

Finding your postback’s signing secret

You can find your postback’s signing secret when you create the postback or in the postback details page. Use the Rotate secret option if you need to generate a new secret. Make sure to keep this secret safe by only storing it in a secure environment variable (e.g. DUB_POSTBACK_SECRET). Do not commit it to git or add it in any client-side code.

Verifying a postback request

To verify, you can use the secret key to generate your own signature for each postback. If both signatures match then you can be sure that a received event came from Dub. The steps required are:
  1. Get the raw body of the request.
  2. Extract the signature from the Dub-Signature header.
  3. Calculate the HMAC of the raw body using the SHA-256 hash function and the secret.
  4. Compare the calculated HMAC with the one sent in the Dub-Signature header. If they match, the postback is verified.
Here’s an example of how you can verify a postback request in different languages: 
export const POST = async (req: Request) => {
  const postbackSignature = req.headers.get("Dub-Signature");
  if (!postbackSignature) {
    return new Response("No signature provided.", { status: 401 });
  }

  // Copy this from the postback details page
  const secret = process.env.DUB_POSTBACK_SECRET;
  if (!secret) {
    return new Response("No secret provided.", { status: 401 });
  }

  // Make sure to get the raw body from the request
  const rawBody = await req.text();

  const computedSignature = crypto
    .createHmac("sha256", secret)
    .update(rawBody)
    .digest("hex");

  if (postbackSignature !== computedSignature) {
    return new Response("Invalid signature", { status: 400 });
  }

  // Handle the postback event
  // ...
};

Why is signature verification important?

Signature verification is a crucial security measure that protects against request forgery and data tampering. Without verification, malicious actors could send fake postback events to your endpoint, potentially triggering unauthorized actions. The HMAC-SHA256 signature verification process ensures that only Dub can generate valid postback requests and that payloads haven’t been modified in transit. This provides both authentication (confirming the sender is Dub) and integrity (ensuring the message hasn’t been tampered with).