Concept > Security


Table of contents

Securing Webhooks

To ensure the authenticity of event requests, Mailgun signs them and posts the signature along with other webhook parameters:


Parameter Type Description
timestamp int Number of seconds passed since January 1, 1970.
token sting Randomly generated string with length 50.
signature sting String with hexadecimal digits generate by HMAC algorithm.

To verify the webhook is originating from Looper you need to:

  • Concatenate timestamp and token values.
  • Encode the resulting string with the HMAC algorithm (using your API Key as a key and SHA256 digest mode).
  • Compare the resulting hexdigest to the signature.
  • Optionally, you can cache the token value locally and not honor any subsequent request with the same token. This will prevent replay attacks.
  • Optionally, you can check if the timestamp is not too far from the current time.

Below is a PHP code sample used to verify the signature:

private function verify($apiKey, $token, $timestamp, $signature)
    //check if the timestamp is fresh
    if (abs(time() - $timestamp) > 15) {
        return false;

    //returns true if signature is valid
    return hash_hmac('sha256', $timestamp.$token, $apiKey) === $signature;