> ## Documentation Index
> Fetch the complete documentation index at: https://docs.soharhealth.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

Webhook signing secrets can be used to verify that incoming requests genuinely originate from our systems and haven't been tampered with. These secrets are available in the Svix Portal, accessible via the [Webhooks](https://app.soharhealth.com/webhooks) page in your dashboard.

Sohar webhooks use [Svix](https://www.svix.com/) for secure message delivery. To verify the authenticity of these webhooks, you must:

* Use the provided webhook secret.
* Extract and process the `svix-id`, `svix-timestamp`, and `svix-signature` headers.
* Use the raw body of the request to compute the HMAC signature.

<Steps>
  <Step title="Install the Svix SDK">
    This is a JavaScript example. Other language examples are available in the [Svix documentation](https://docs.svix.com/receiving/verifying-payloads/how).

    ```bash theme={null}
    npm install svix
    ```
  </Step>

  <Step title="Use the Webhook Verifier">
    ```javascript theme={null}
    import { Webhook } from 'svix';

    const secret = process.env.WEBHOOK_SECRET; // Replace with your actual webhook secret

    // Headers received from the webhook
    const headers = {
      'svix-id': 'msg_bNaGN5s2IJgP0aeHcgjlmOzh',
      'svix-timestamp': '1750612550',
      'svix-signature': 'v1,cIoc4hu+u+C4V8o72ynm2z4tNBzu+5tcNvGyc4ELnUY=',
    };

    const payload = '{"status": "complete"}'; // Raw request body

    const wh = new Webhook(secret);

    // Throws an error if verification fails
    wh.verify(payload, headers);
    ```

    <Tip>
      Always use the raw request body when verifying webhooks, as even minor changes can invalidate the cryptographic signature. Be cautious with frameworks that automatically parse and re-serialize JSON bodies - this transformation can alter the payload and cause signature verification to fail.
    </Tip>
  </Step>
</Steps>
