# Protecting your webhooks
URL: /webhooks/protecting-your-webhooks

It is recommended to validate incoming webhook requests to ensure that they originate from OnlyFans API, and not from a malicious actor. You can do this by verifying the `Signature` header in the request.

***

title: "Protecting your webhooks"
description: "It is recommended to validate incoming webhook requests to ensure that they originate from OnlyFans API, and not from a malicious actor. You can do this by verifying the `Signature` header in the request."
icon: ShieldCheck
-----------------

<Callout>
  You can choose any signing secret, but it is recommended to use a long, random string.
</Callout>

## How the signature is calculated

We calculate the signature using the HMAC SHA256 algorithm. The payload (as json) is the string, and the signing secret is the key.

## Verifying the signature

Below you can find examples of how to verify the signature in different programming languages.

```php tab="PHP"
$computedSignature = hash_hmac('sha256', $requestContent, $signingSecret);
```

```python tab="Python"
import hmac
import hashlib

computed_signature = hmac.new(signing_secret.encode(), request_content.encode(), hashlib.sha256).hexdigest()
```

```javascript tab="JavaScript"
const crypto = require('crypto');

const computedSignature = crypto
    .createHmac('sha256', signingSecret)
    .update(requestContent)
    .digest('hex');
```

```go tab="Go"
package main

import (
    "crypto/hmac"
    "crypto/sha256"
    "encoding/hex"
)

func main() {
    signingSecret := []byte("your_signing_secret")
    requestContent := []byte("your_request_content")

    h := hmac.New(sha256.New, signingSecret)
    h.Write(requestContent)
    computedSignature := hex.EncodeToString(h.Sum(nil))

    // Use `computedSignature` as needed
}
```

```java tab="Java"
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.util.Base64;
import java.nio.charset.StandardCharsets;

public class HmacSha256Example {
    public static void main(String[] args) throws Exception {
        String signingSecret = "your_signing_secret";
        String requestContent = "your_request_content";

        Mac mac = Mac.getInstance("HmacSHA256");
        SecretKeySpec secretKeySpec = new SecretKeySpec(signingSecret.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
        mac.init(secretKeySpec);

        byte[] hmacBytes = mac.doFinal(requestContent.getBytes(StandardCharsets.UTF_8));
        String computedSignature = bytesToHex(hmacBytes);

        // Use `computedSignature` as needed
    }

    private static String bytesToHex(byte[] bytes) {
        StringBuilder hexString = new StringBuilder();
        for (byte b : bytes) {
            String hex = Integer.toHexString(0xff & b);
            if (hex.length() == 1) {
                hexString.append('0');
            }
            hexString.append(hex);
        }
        return hexString.toString();
    }
}
```

```ruby tab="Ruby"
require 'openssl'

computed_signature = OpenSSL::HMAC.hexdigest('sha256', signing_secret, request_content)
```