> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fourthwall.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Signature Verification

> Verify webhook authenticity with HMAC-SHA256 signatures

If you want to verify whether the request was in fact sent from Fourthwall you can do that by calculating the webhook digital signature.

## Getting your secret key

First head to the [webhook configuration panel](https://my-shop.fourthwall.com/admin/dashboard/settings/for-developers?redirect) in your site settings and find the secret key value assigned to your shop, e.g.:

```
e3f93c7c-c92b-4b8f-a9b1-5b70e0891abc
```

## Verifying the signature

Each webhook request comes with an `X-Fourthwall-Hmac-SHA256` base64 encoded header. To verify the request:

1. Compute the HMAC-SHA256 using your secret key and the entire webhook body
2. Base64 encode the result
3. Compare with the header value

```python theme={null}
import hmac
import hashlib
import base64

SECRET = 'secret_value_from_your_shop_webhook_settings'

def verify_signature(data, hmac_header):
    digest = hmac.new(SECRET.encode('utf-8'), data, digestmod=hashlib.sha256).digest()
    computed_hmac = base64.b64encode(digest)

    return hmac.compare_digest(computed_hmac, hmac_header.encode('utf-8'))
```

You can use any programming language as long as the algorithm follows the same principles.

## Signature verification for Platform Apps

The verification process for Platform Apps is the same, but uses a different header: `X-Fourthwall-Hmac-Apps-SHA256`.

You can get your HMAC key in your app's [settings](https://my-shop.fourthwall.com/admin/dashboard/settings/platform-apps?redirect).