Your webhook signing key lets you verify that callback requests are genuinely from DocPipe and have not been tampered with.Documentation Index
Fetch the complete documentation index at: https://docs.docpipe.ai/llms.txt
Use this file to discover all available pages before exploring further.
Why use a signing key
Without signature verification, any HTTP request to your callback URL could impersonate DocPipe. A signing key lets you cryptographically verify each request.Generating a signing key
- Go to Settings → Webhook Keys
- Click Generate key
- Copy the key and store it securely in your application’s configuration
Verifying signatures
When DocPipe sends a callback, it includes a signature header computed from the request body using your signing key. To verify:- Read the raw request body
- Compute an HMAC-SHA256 hash using your signing key
- Compare the computed hash with the signature in the request header
- Only process the request if they match
Rotating your key
DocPipe supports zero-downtime key rotation. During rotation, both the primary and secondary key are active, and callback signatures are computed with both. To rotate your signing key:- Go to Settings → Webhook Keys
- Click Rotate. This generates a new primary key and demotes the current key to secondary
- Copy the new key and update your application to use it
- Once all integrations are updated, click Complete rotation to remove the old secondary key
X-DocPipe-Signature header includes signatures from both the old and new key, so your existing integration continues to work while you transition.
Revoking your key
To delete your signing key entirely:- Go to Settings → Webhook Keys
- Click Revoke