Skip to main content
Every webhook Kua sends carries an X-Kua-Signature header. Verify it with your endpoint’s signing secret (whsec_…) before trusting the payload.

Headers

HeaderDescription
X-Kua-Signaturet={unix_seconds},v1={hex_hmac}
X-Kua-Event-TypeThe event type, e.g. payroll.disbursed.
X-Kua-Event-IdThe event’s unique id (use it to dedupe).
X-Kua-Delivery-IdThis delivery attempt’s id.

How the signature is computed

Kua computes HMAC-SHA256(secret, "{t}.{raw_body}") and hex-encodes it as the v1 value, where t is the timestamp in the header and raw_body is the exact bytes of the request body.

Verify (Node.js)

Verify against the raw request body, before any JSON parsing/re-serialization — re-encoding changes the bytes and breaks the signature.

Guard against replays

The t timestamp lets you reject stale deliveries — e.g. ignore anything older than a few minutes. Combined with deduping on X-Kua-Event-Id, this makes your handler safe against retries and replays.