Back to home

GitHub X-Hub-Signature-256 Verification

GitHub signs webhook payloads with sha256 HMAC. Verify the raw body before processing the event.

Last updated: 2026-06-24

GitHub provides an HMAC signature in X-Hub-Signature-256. Verification is straightforward as long as you keep the raw body unchanged.

Verification steps

  1. Read the raw payload.
  2. Remove the sha256= prefix from the header.
  3. Compute HMAC_SHA256(secret, payload).
  4. Compare the digest with the header value.

Example

const expected = createHmac('sha256', secret)
  .update(payload, 'utf8')
  .digest('hex');

Common mistakes

  • Verifying after body parsing
  • Forgetting the sha256= prefix in the header
  • Using the wrong webhook secret

FAQ

Which header should I inspect?

X-Hub-Signature-256.

Do I also need X-GitHub-Event?

Yes. That header tells you what kind of event the payload represents.

Test both headers side by side in WebhookPilot for faster debugging.