How to secure webhook identity

Question

I am developing a service where customer can register their webhook URL and I will be sending updates on the registered URLs. For the sake of security, I want to let the client (receiver) identify that its me(server) who is sending them the request.

Facebook and Github both sends a X-Hub-Signature containing the hash of the payload prefixed with a secret key.

I can follow the same strategy. But what if I simply use jwt:

1. On registering the webhook I share a secret key with the client.
2. Then in each webhook request I will be sending a jwt computed using the same secret key.

I don't know much about cryptography, but the jwt approach seems more efficient as I don't have to compute the signature again and again because I am not using the payload in the signature.

But then why both Facebook and GitHub follow the other approach?

The content on this site may be out of date. For the most accurate and up-to-date content, visit

Answer 1

Using a MAC (Message Authentication Code) allows one to authenticate a message, as implied by the name. Sending a secret with every message is not wise, as this is likely to result in the secret being compromised. An attacker might intercept one of the messages and then start issuing spoofed messages.

Another thing which you might want to consider is replay attacks. What if an attacker intercepts a message and sends the same message later?

Edit: Using JWT is fine, as it includes a MAC, but you must make sure that the payload is authenticated (i.e. included in the computation of the MAC).