Skip to main content
Gainsight Inc.

Webhook Verification

Webhooks sent by Northpass can be verified by calculating a digital signature.

This article helps you understand how to verify the webhook request.


Webhooks sent by Gainsight CE can be authenticated by computing a digital signature.

Each Webhook request contains an X-Northpass-Hmac-SHA256header, generated using your school’s shared secret in combination with the request data.

To confirm that the request originated from Northpass, calculate the HMAC digest using the specified algorithm and compare it with the value in the X-Northpass-Hmac-SHA256 header. If they match, you can trust that the Webhook was indeed sent by Northpass and that the data remains intact.

Note: if you are using a Rack based framework such as Ruby on Rails or Sinatra, the header you are looking for is HTTP_X_Northpass_Hmac_SHA256

Below is a simple example in Ruby using the Sinatra web framework of how one might verify a webhook request:

require 'rubygems'
require 'base64'
require 'openssl'
require 'sinatra'
# The SchoolKeep app's shared secret, viewable from the Webhooks app
SHARED_SECRET = 'my_shared_secret'
helpers do
  # Compare the computed HMAC digest based on the shared secret and the request contents
  # to the reported HMAC in the headers
  def verify_webhook(data, hmac_header)
    digest  ='sha256')
    calculated_hmac = Base64.encode64(OpenSSL::HMAC.digest(digest, SHARED_SECRET, data)).strip
    calculated_hmac == hmac_header
# Respond to HTTP POST requests sent to this web service
post '/' do  request.body.rewind
  data =
  verified = verify_webhook(data, 
  # Output 'true' or 'false'  
puts "Webhook verified: #{verified}"

Questions? Contact us a and we'll be happy to assist!

  • Was this article helpful?