notes.chiubaca.com

how to keep mailgun webhooks secure - https://www.mailgun.com/blog/product/a-guide-to-using-mailguns-webhooks/

tldr, heres the code

let crypto;
try {
  crypto = require('node:crypto');
} catch (err) {
  console.log('crypto support is disabled!');
}

const apikey = "this-would-be-a-hash-provided-by-mailgun"

// this would be available in the event.body of the webhook response
const signature = {
    token: 'jkashdjkashjkdhaksjhdashk',
    timestamp: '1653941793',
    signature: 'hjdkashdjkashdaskh
  };

const key = signature.timestamp + signature.token  
const hash = crypto.createHmac('sha256', apikey)  
                   .update(key)
                   .digest('hex');

console.log(hash) // this should match signature.signature