Overview

WebhookSigningSecret is an entity that represents a symmetric key shared between Contentful and a webhook receiver. Contentful uses this secret to sign requests sent to a webhook receiver, which allows a webhook receiver to verify that requests it receives are made by legitimate users of the app through Contentful.

Storing a WebhookSigningSecret for a webhook in Contentful enables all future webhook call requests to be automatically signed using the secret. The receiving backend can decide whether it wants to validate this signature or not, so enabling this should not have any immediate effect until used.

There are two constraints on the secret:

1. It must be exactly 64 characters long.
2. It must match this regular expression: /^[0-9a-zA-Z+/=_-]+$/. This also means secrets using the hex or base64 character set are allowed.

We recommend using a cryptographic pseudorandom number generator to generate a secret. See our guide on request verification for examples on how to generate a secret.