Class WebhookSignature
Helpers for verifying inbound Mailtrap webhook signatures.
public static class WebhookSignature- Inheritance
-
WebhookSignature
Remarks
Mailtrap signs every outbound webhook by computing
HMAC-SHA256(signing_secret, raw_request_body) and sending the lowercase hex digest
in the Mailtrap-Signature HTTP header. To authenticate a webhook on the receiver
side, compute the same digest using the signing_secret returned when the webhook
was created and compare it to the value of the header in constant time.
The comparison is performed in constant time to avoid timing side-channels.
Verify(string, string, string) never throws on inputs that could plausibly arrive over the wire (null / empty strings, wrong-length signatures, non-hex characters, missing secret) — it simply returns false. This makes it safe to call directly from a request handler without wrapping in try/catch.
Fields
SignatureHexLength
Hex-encoded HMAC-SHA256 signature length (SHA-256 produces 32 bytes / 64 hex chars).
public const int SignatureHexLength = 64Field Value
Methods
Verify(string, string, string)
Verifies the HMAC-SHA256 signature of a Mailtrap webhook payload.
public static bool Verify(string payload, string signature, string signingSecret)Parameters
payloadstringThe raw request body, exactly as received. Do not parse and re-serialize the JSON — re-encoding may reorder keys or alter whitespace and invalidate the signature. In ASP.NET Core, call
HttpRequest.EnableBuffering()and read the body vianew StreamReader(Request.Body).ReadToEndAsync(), or bind directly to abyte[]/ Stream on the webhook endpoint so the body is preserved verbatim.signaturestringThe value of the
Mailtrap-SignatureHTTP header (lowercase hex string).signingSecretstringThe webhook's
signing_secret, returned by the Webhooks API on webhook creation.