Each of our request contains two extra headers: Elai-Timestamp and Elai-Signature.
Elai-Signature is based on concatenation of two important fields in every webhook triggering:
const message = [elaiTimestampFromHeader, payloadFromBody].join('.')
The signature by itself is an HMAC created using the SHA256 hash function, by signing the message using the your webhook secret as the signing key.
const crypto = require('crypto') const hmac = crypto.createHmac('sha256', webhookSecretToken) hmac.update(message) const signature = hmac.digest('hex') // and check it signature === req.headers['Elai-Signature']