Custom HMAC
Connect any provider that signs with HMAC-SHA256 over the raw body
If your partner signs the raw body with HMAC-SHA256 and doesn't fit one of the named modes, use Generic HMAC-SHA256. You control three pieces of configuration.
Setup
1. Wexio connection
New connection → Inbound → Auth mode: Generic HMAC-SHA256.
| Field | Description |
|---|---|
| Signing secret | The shared secret the partner uses to sign |
| Signature header name | Where the signature lands — case-insensitive (e.g. X-Signature, My-Sig-256) |
| Encoding | Hex (most providers) or Base64 (Shopify, HubSpot v3, Zendesk) |
| Header prefix | Optional prefix to strip from the value (e.g. sha256=, v1=) |
The signing input is always the raw body — no timestamp prefix, no path concatenation. If your partner includes a timestamp in the signing input, use an n8n/Make proxy to verify there and forward a plain Shared Secret request to Wexio.
2. Point the partner at Wexio
Partner-specific, but the pattern is: paste Wexio's endpoint URL as the webhook destination, share the signing secret both ways.
3. Contact resolution, schema, flow
Same as every inbound — identifier mapping, capture schema, bind a Webhook Received trigger.
How Verification Works
Wexio reads <headerName> from the request
├─ strips <prefix> if set
├─ decodes as <encoding>
└─ timing-safe compares against
HMAC-SHA256(<signing secret>, <raw body>)When This Mode Is NOT Enough
- Timestamp-prefixed signing (Stripe, Slack, Paddle, Revolut, Svix) — use the matching named mode.
- Asymmetric signatures (RSA, Ed25519, ECDSA, JWS) — proxy through n8n/Make for now.
- Signing input includes the URL or method (e.g. Twilio, Square) — proxy.
- Multiple signatures per header during rotation — only Stripe, Paddle, Svix modes parse multi-value headers. For custom HMAC, rotate by updating the secret in one shot.
Presets (for reference)
Many common providers already have presets that fill these fields — check them first:
| Provider | headerName | encoding | prefix |
|---|---|---|---|
| GitHub | X-Hub-Signature-256 | Hex | sha256= |
| Bitbucket Cloud | X-Hub-Signature-256 | Hex | sha256= |
| Shopify | X-Shopify-Hmac-Sha256 | Base64 | — |
| Mailgun (HTTP) | X-Mailgun-Signature-256 | Hex | — |
| Paystack | X-Paystack-Signature | Hex | — |
| Razorpay | X-Razorpay-Signature | Hex | — |
| PagerDuty | X-PagerDuty-Signature | Hex | v1= |
| Zendesk | X-Zendesk-Webhook-Signature | Base64 | — |
| HubSpot v3 | X-HubSpot-Signature-v3 | Base64 | — |
| Linear | Linear-Signature | Hex | — |
| Vercel | X-Vercel-Signature | Hex | — |
| Netlify | X-Webhook-Signature | Hex | — |
If your provider isn't listed but follows the same pattern — just set these four fields manually.
Troubleshooting
| Symptom | Fix |
|---|---|
UNAUTHORIZED: HMAC signature mismatch | Common causes: wrong encoding (hex vs base64), missing or wrong prefix, a reverse proxy is reformatting the body bytes, the partner uses a timestamp prefix in the signing input |
UNAUTHORIZED: Missing <header> | Partner isn't sending the header you configured — check case-insensitive spelling, or verify partner has signing enabled |
UNAUTHORIZED: Connection is missing its signing credential | The Wexio connection has mode set but no signing secret. Rotate/paste one |