> ## Documentation Index
> Fetch the complete documentation index at: https://docs.jelou.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# HMAC-SHA256 Signature

> Verification and generation of HMAC-SHA256 signatures for bidirectional communication

The `X-Jelou-Signature` header with format `sha256=HMAC_HEX_DIGEST` is used in **both directions**:

* **Verification:** When receiving events from Jelou on your webhook, you must verify the signature to ensure integrity.
* **Generation:** When sending messages to Jelou's webhook (`incoming_message`), you must generate and send the signature.

***

## Verification of events received from Jelou

All events sent by Jelou to the webhook include the `X-Jelou-Signature` header. It is recommended to **always verify** the signature.

```javascript theme={null}
const crypto = require("crypto");

function verifySignature(payload, signature, signingSecret) {
    const expectedSignature = crypto
        .createHmac("sha256", signingSecret)
        .update(JSON.stringify(payload))
        .digest("hex");

    const expected = `sha256=${expectedSignature}`;

    return (
        signature.length === expected.length &&
        crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))
    );
}
```

***

## Signature generation for sending to Jelou

When the external provider sends a message to the end user via `POST /v1/external-support/webhook`, it **must include** the `X-Jelou-Signature` header with the HMAC-SHA256 signature of the body.

<Warning>
  The `body` being signed must be the **exact same string** sent in the request. Serialize the payload with `JSON.stringify()` once and use that same string for both generating the signature and for the request body.
</Warning>

```javascript theme={null}
const crypto = require("crypto");

const payload = { /* your payload here */ };
const signingSecret = "your_signing_secret";

const body = JSON.stringify(payload);
const signature = crypto
    .createHmac("sha256", signingSecret)
    .update(body)
    .digest("hex");

console.log("Body (use as raw body):");
console.log(body);
console.log("\nX-Jelou-Signature:", `sha256=${signature}`);
```

***

## Authentication headers sent by Jelou

Based on the `authType` configured in the integration, Jelou will send the corresponding header when invoking your webhook:

| authType  | Header sent                                   |
| --------- | --------------------------------------------- |
| `bearer`  | `Authorization: Bearer {{token}}`             |
| `api_key` | `X-API-Key: {{api_key}}`                      |
| `basic`   | `Authorization: Basic {{base64_credentials}}` |
| `no_auth` | No authentication header                      |
