Manually authenticating HMAC signatures for DocuSign Connect webhook configurations

When configuring a DocuSign Connect webhook, HMAC signatures should be used as a security measure to both authenticate the sender (DocuSign) and maintain message integrity. Your application should verify the webhook’s notification message as soon as it is received. The DocuSign Developer Center includes examples for verifying HMAC signatures in a variety of languages. 

This post shows you how to manually compute and verify the HMAC when you’re initially testing your webhook. 

To manually verify the notification message’s HMAC signature, you will need the following:

1. Secret key: This is the key that is assigned by DocuSign when you include an HMAC signature in your Connect configuration. Pro tip: it is easiest to use just one HMAC key at a time.
2. HMAC signature of the webhook request: You can use webhook.site or another public test site to monitor incoming requests and choose one to test its HMAC signature. The signature is the value of the request header “X-DocuSign-Signature-1”. DocuSign uses Base64 encoding for the signature.
3. Hashing Algorithm used to generate the signature: This is denoted by the value of the request header “x-authorization-digest”. Note: Current DocuSign HMACs use SHA256.
4. Body of the webhook request: Make sure to turn off any JSON formatting (“pretty-printing”) added by your webhook test site before copying the body.

With JSON formatting:

Without JSON formatting:

Once you have these in hand, manually compute the HMAC signature and check if it matches the signature sent by your webhook:

1. Use hmac-sha256-online or a similar online HMAC generator that uses SHA256 and the Base64 output format.
2. Generate the hashed output using your secret key and request body. The HMAC generator must produce a Base64 version of the HMAC:

3. Compare the output to the HMAC signature in your request header; they should match.

Troubleshooting

If the outputs do not match, perhaps your manually generated output is represented in a different notation than the one given by the request header. HMAC is a binary string, and can be represented in different formats such as binary, octal, hexadecimal, Base64, and others. DocuSign’s webhook request represents the HMAC signature in Base64 format. Make sure that your computed output is being represented in the same format before checking to see if they match.

Also check that you used the entire raw version of the HTTP POST request’s body parameter, and check that you copied the body without any added formatting by your test site. 

Summary

It’s easy to check the HMAC signature used by DocuSign manually. The best security for your server, your webhook listener, is multi-layered. Enable Basic Authentication and HMAC signatures for your webhook configuration: your web server will check the Basic Authentication security. Your application will additionally check the HMAC signature to make sure that the notification message’s sender was DocuSign and the message contents were not altered in transit.

Additional resources

• DocuSign Developer Center
• DocuSign for Developers on YouTube
• @DocuSignAPI on Twitter
• DocuSign on Twitch
• DocuSign for Developers on LinkedIn
• DocuSign Developer Newsletter