# Signed webhooks Each webhook request sent by Rewardful includes a unique signature that can be used to verify the authenticity of the request. You can use this to confirm that the webhook request is legitimate and not an attacker attempting to spoof your endpoint. {% hint style="warning" %} Although it's optional, we **strongly** recommend verifying webhook signatures to keep your app secure. {% endhint %} Rewardful generates signatures using a hash-based message authentication code ([HMAC](https://en.wikipedia.org/wiki/HMAC)) with [SHA-256](https://en.wikipedia.org/wiki/SHA-2). The signature is generated by hashing your endpoint's *Signing Secret* with the webhook *request body*. You can view your endpoint's Signing Secret from the [Webhooks](https://app.getrewardful.com/webhooks) page in your Rewardful dashboard. The signature is contained in the HTTP header `X-Rewardful-Signature`. You can verify the signature by hashing your Signing Secret with the request body, then comparing the result with `X-Rewardful-Signature`. If they match, it means the request is legitimate. Here are some examples of how you can verify the signature in a few frameworks and programming languages. ### Ruby on Rails ```ruby expected_signature = OpenSSL::HMAC.hexdigest( 'sha256', 'my-rewardful-signing-secret', request.raw_post ) if expected_signature == request.headers['X-Rewardful-Signature'] # The request is legitimate and can be safely processed. end ``` ### PHP ```ruby ``` ### Django ```python import hmac import hashlib expected_signature = hmac.new( 'my-rewardful-signing-secret', msg=request.body, digestmod=hashlib.sha256 ).hexdigest() if expected_signature == request.headers['X-Rewardful-Signature']: # The request is legitimate and can be safely processed. ```