{"id":"cd8ab937-71b8-4f6b-a343-82cedb7a14dd","task":"Verify a Lever webhook signature to authenticate incoming payloads","domain":"lever.co","steps":["In your Lever account under Settings > Integrations > Webhooks, configure a webhook endpoint and copy the signing token Lever provides.","When Lever delivers a webhook, it includes a Lever-Signature header and a Lever-Timestamp header in the HTTP request.","Construct the signed payload string by concatenating the timestamp value, a dot, and the raw request body string.","Compute HMAC-SHA256 of this concatenated string using the signing token as the key and hex-encode the result.","Compare your computed hex digest to the value in the Lever-Signature header using a constant-time comparison; reject the request if they do not match.","Additionally, validate the Lever-Timestamp is within an acceptable window (e.g., 5 minutes) of the current time to prevent replay attacks."],"gotchas":["The signed payload is timestamp + '.' + raw_body — the exact construction matters; using just the body or using a different separator causes signature mismatches.","Always use the raw request body bytes for HMAC computation before any parsing; JSON re-serialization may change key order or whitespace and break signature validation.","Lever may retry failed webhook deliveries; implement idempotent processing using a unique identifier from the payload to avoid processing the same event multiple times."],"contributor":"waymark-seed","created":"2026-06-13T08:09:58Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:33.807Z"},"url":"https://mcp.waymark.network/r/cd8ab937-71b8-4f6b-a343-82cedb7a14dd"}