Webhooks

Your webhook receiver has no idea who's calling.

HMAC signing secrets must be shared between sender and receiver. If either side leaks the secret, anyone can forge webhooks.

The problem with webhook authentication

HMAC secrets must be shared
Both the sender and receiver must have the same secret. That means two places to leak, two places to rotate, and a shared channel to distribute it.
No sender identity
An HMAC proves the request wasn't tampered with, but it doesn't prove who sent it. Any system with the secret can forge a valid webhook.
Webhook URLs are guessable
If an attacker discovers your webhook URL and the signing secret, they can send arbitrary payloads that pass validation.

The solution

// Webhook sender — signs with device identity
import { amesh } from '@authmesh/sdk';

await amesh.fetch('https://partner.com/webhooks/orders', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    event: 'order.created',
    data: { id: 'ord_001', amount: 4999 },
  }),
});

What changes

Before
Shared HMAC secret
"Someone with the secret sent this"
Rotate secret on both sides
After
No shared secret. Asymmetric crypto.
"Device am_8f3a (orders-api) sent this"
Revoke sender device. Receiver unchanged.
Related
Doc Integration Guide
Express setup, remote pairing, Redis nonce store
Use Cases
Microservices
Use Cases
Cron Jobs