Skip to Content
WhatsApp MCPAPI Reference (generated)WebhookVerify SignatureFunctionsVerifyMetaSignature

whatsapp-mcp

whatsapp-mcp / webhook/verify-signature / verifyMetaSignature

Function: verifyMetaSignature()

function verifyMetaSignature(
   rawBody, 
   header, 
   appSecret): boolean;

Defined in: src/webhook/verify-signature.ts:51 

Verify a Meta webhook signature header against the raw request body.

Parameters

rawBody

Buffer

exact bytes of the request body, before JSON parsing.

string | null | undefined

the value of the X-Hub-Signature-256 header. May include or omit the sha256= prefix (Meta always includes it; we tolerate either form).

appSecret

string

the WhatsApp App Secret bound to this webhook endpoint.

Returns

boolean

true if the signature is valid, false otherwise.

Remarks

  • Uses crypto.timingSafeEqual to prevent timing-based oracle attacks.
  • Returns false (not throws) on malformed headers so the caller decides the HTTP response.
  • The caller MUST respond with HTTP 404 on false — do not leak endpoint existence to scanners.
webhook/verify-signatureMETA SIGNATURE HEADER