Webhook Signing overview
KnoxCall’s Webhook Signing is HMAC-as-a-service for outbound events. When KnoxCall fires a webhook (workflow output, alert dispatch, custom integration), the payload is signed with HMAC-SHA256 in the format the recipient expects. They verify the signature and trust the bytes; nobody can forge an event without the shared secret. This is the inverse of Inbound Webhooks — same wire formats, opposite direction.Why use it
Supported formats
Same six formats as Inbound Webhooks verification:
The killer test that proves the formats are right: KnoxCall’s
stripe-format output is verified end-to-end by Stripe’s own SDK in the test suite. If stripe.webhooks.constructEvent accepts our header, the wire format is byte-correct. The same kind of round-trip test exists for every format, and KnoxCall’s own Inbound Webhooks verifier is the inverse — outbound + inbound share the same six format definitions, so the round-trip is structurally guaranteed.
How recipients verify
Every format follows the same pattern: HMAC-SHA256 over a defined byte sequence (often the raw body, sometimes prefixed with a timestamp), encoded as hex or base64, dropped into a known header. The recipient recomputes the HMAC with the shared secret and compares constant-time. For the wire-level details (what bytes get signed, what the header looks like, replay-window semantics), see the Inbound Webhooks format guide — both directions speak the same protocol.Where signing happens in KnoxCall
Webhook Signing applies anywhere KnoxCall fires HTTP events outward:- Workflows — emit signed events to integrations.
- Alerts — sign Slack-format webhook deliveries to your incident channel.
- Custom dispatcher — pick a format on the subscription; KnoxCall handles the signing.
Choosing a format
- Talking to a real provider that documents a scheme? Use the matching format. Stripe receivers expect
stripe, Slack receivers expectslack, GitHub-shaped receivers expectgithub, etc. - Talking to your own service? Use
legacy(KnoxCall’s default) for KnoxCall-to-KnoxCall flows, orcustomif you want to pick the header name yourself. - Talking to an integration that doesn’t document a scheme?
legacyorcustom— most receivers will accept “HMAC-SHA256 of the body in this header” if you tell them which header to read.
Plan limits
Multi-format webhook signing (everything exceptlegacy) is gated to paid tiers — Pro and above. Free / Starter ship with legacy only. See pricing for current limits.
Next steps
- Inbound Webhooks overview → — verify HMAC-signed webhooks coming in from external providers
- Format guide → — wire-level details (shared with inbound)