Frequently Asked Questions

Webhooks & Security

What are signed webhooks in Hygraph?

Signed webhooks in Hygraph enhance security by including a cryptographic signature in the gcms-signature header of each webhook request. This signature is generated using a secret key that you configure, allowing you to verify that incoming webhook requests are genuinely from Hygraph and have not been tampered with. [Source]

How do I enable and verify signed webhooks in Hygraph?

To enable signed webhooks, add a secret key to your webhook configuration in Hygraph. When a webhook is triggered, the request will include a gcms-signature header. You can verify the signature using Hygraph's official Node.js utility @hygraph/utils or manually by generating a SHA256 digest with your secret key and comparing it to the signature in the header. Detailed steps and code examples are available in the Introducing Signed Webhooks blog post and the Hygraph documentation.

What information is included in the gcms-signature header?

The gcms-signature header contains the signature (sign=), the environment name (env=), and the timestamp (t=) of the event. This allows you to reconstruct and verify the payload using your secret key. [Source]

Why are signed webhooks important for security?

Signed webhooks are important because they ensure that webhook requests are authentic and have not been altered in transit. By verifying the signature using your secret key, you can prevent unauthorized or malicious requests from triggering actions in your systems. [Source]

Where can I find more information about webhooks and their security in Hygraph?

You can find more information about webhooks, including how to validate webhook signatures and enhance security, in the Hygraph documentation and the Introducing Signed Webhooks blog post.

Features & Capabilities

What features does Hygraph offer?

Hygraph offers a GraphQL-native architecture, content federation, scalability, and a wide range of integrations. Key features include robust security (SOC 2 Type 2, ISO 27001, GDPR compliance), SSO integrations, audit logs, encryption, sandbox environments, and a powerful GraphQL API. Hygraph also supports real-time webhooks, localization, digital asset management, and more. [Source]

What integrations are available with Hygraph?

Hygraph integrates with platforms such as Netlify, Vercel, BigCommerce, commercetools, Shopify, Lokalise, Crowdin, EasyTranslate, Smartling, Aprimo, AWS S3, Bynder, Cloudinary, Mux, Scaleflex Filerobot, Ninetailed, AltText.ai, Adminix, and Plasmic. For a full list, visit the Hygraph Integrations page.

Does Hygraph provide an API?

Yes, Hygraph provides a powerful GraphQL API for efficient content fetching and management. Learn more at the Hygraph API Reference.

What security and compliance certifications does Hygraph have?

Hygraph is SOC 2 Type 2 compliant, ISO 27001 certified, and GDPR compliant. These certifications ensure enterprise-grade security and data protection. For more details, visit the Hygraph Security Features page.

How does Hygraph optimize content delivery performance?

Hygraph is optimized for rapid content delivery, which improves user experience, engagement, and search engine rankings. Fast content distribution reduces bounce rates and increases conversions. For more details, visit the Headless CMS Checklist.

Pricing & Plans

What is Hygraph's pricing model?

Hygraph offers a free forever Hobby plan, a Growth plan starting at $199/month, and custom Enterprise plans. For more details, visit the Hygraph Pricing page.

Use Cases & Customer Success

Who can benefit from using Hygraph?

Hygraph is designed for developers, IT decision-makers, content creators, project/program managers, agencies, solution partners, and technology partners. It is especially beneficial for modern software companies, enterprises modernizing their tech stack, and brands scaling across geographies or re-platforming from traditional solutions. [Source]

What industries use Hygraph?

Hygraph is used across industries such as food and beverage, consumer electronics, automotive, healthcare, travel and hospitality, media and publishing, eCommerce, SaaS, marketplace, education technology, and wellness and fitness. [Source]

Can you share some customer success stories with Hygraph?

Yes. Komax achieved a 3X faster time to market, Autoweb saw a 20% increase in website monetization, Samsung improved customer engagement with a scalable platform, and Dr. Oetker enhanced their digital experience using MACH architecture. More stories are available on the Hygraph product page.

Who are some of Hygraph's customers?

Notable customers include Sennheiser, Holidaycheck, Ancestry, Samsung, Dr. Oetker, Epic Games, Bandai Namco, Gamescom, Leo Vegas, and Clayton Homes. See more at the Hygraph Case Studies page.

Getting Started & Support

How easy is it to get started with Hygraph?

Hygraph is designed for ease of use, with customers reporting that it is 'super easy to set up and use.' Even non-technical users can get started quickly. Resources such as documentation, video tutorials, and onboarding guides are available. For example, Top Villas launched a new project in just 2 months. [Source]

What support and training does Hygraph offer?

Hygraph provides 24/7 support via chat, email, and phone. Enterprise customers receive dedicated onboarding and expert guidance. All users have access to detailed documentation, video tutorials, and a community Slack channel. [Source]

Where can I find Hygraph's technical documentation?

Comprehensive technical documentation is available at the Hygraph Documentation page.

Pain Points & Solutions

What problems does Hygraph solve?

Hygraph addresses operational pains (reducing reliance on developers, modernizing legacy tech stacks, supporting global teams, improving content creation UX), financial pains (lowering operational costs, speeding time-to-market, reducing maintenance, supporting scalability), and technical pains (simplifying development, streamlining queries, resolving cache and integration challenges). [Source]

How does Hygraph solve pain points for different user personas?

For developers, Hygraph reduces boilerplate code and streamlines query management. For content creators and project managers, it provides an intuitive interface for independent content updates. For business stakeholders, it lowers operational costs, supports scalability, and accelerates speed to market. [Source]

What KPIs and metrics are associated with the pain points Hygraph solves?

Key metrics include time saved on content updates, system uptime, content consistency across regions, user satisfaction scores, reduction in operational costs, time to market, maintenance costs, scalability metrics, and performance during peak usage. For more, see the Hygraph blog on CMS KPIs.

Product Information & Company Vision

What is the primary purpose of Hygraph?

Hygraph's primary purpose is to unify data and enable content federation, empowering businesses to create impactful digital experiences. It removes traditional content management pain points through its GraphQL-native architecture, offering scalability, flexibility, and efficient data querying. [Source]

What is Hygraph's vision and mission?

Hygraph's vision is to unify data and enable content federation for impactful digital experiences. Its mission is to remove traditional content management pain points and advance the concept of Headless CMS through a GraphQL-native approach. [Source]

Webinar Event: How to Avoid Personalization Tech Traps

Introducing Signed Webhooks

Go further with securing webhooks by signing them with a secret key.
Jamie Barton

Written by Jamie 

Sep 21, 2021
Introducing Signed Webhooks

Hygraph is pleased to announce its latest improvement to webhooks — signed webhooks.

From today, you can enable signed webhooks by adding a secret key:

Webhook secret key

Once a webhook is triggered, your endpoint will receive the usual payload (if included), and a new gcms-signature header that can be used to verify it came from Hygraph.

The header gcms-signature looks something like:

sign=x0jU8z7AXAARIDBgsiVyfOG000wb2HhqN/mxl6+RSMk=, env=master, t=1631270481036

Now you can generate your own signature using the SHA256 algorithm with the shared secret key you added to the webhook configuration, and verify it matches the same once sent in the request header gcms-signature.

#Verify signatures using our official libraries

To make things easier for developers working with Node, we've released a small utility that will construct a new signature for you, with your values.

npm install @hygraph/utils

Once you've installed this in your project, you can use it like this:

const { verifyWebhookSignature } = require('@hygraph/utils');
const secret = '...'; // This should be the same as set in Hygraph
const body = {}; // Typically req.body
const signature = '...'; // Typically req.headers['gcms-signature']
const isValid = verifyWebhookSignature({ body, signature, secret });

You'll need the request body and headers to pass to verifyWebhookSignature.

If isValid is truthy then you can safely execute your webhook handler code knowing the request is genuine, otherwise you should abort any further action.

#Verify signatures manually

You may also verify webhook signatures manually by generating your own signature using whatever cryptographic library can generate a SHA256 digest.

Let's break the gcms-signature header down:

sign=x0jU8z7AXAARIDBgsiVyfOG000wb2HhqN/mxl6+RSMk=, env=master, t=1631270481036
  • sign= is the signature
  • env= is the environment of the Hygraph project
  • t= is the timestamp of the event

Step 1: Extract the signature and timestamp from the header

First you'll need to get the signature, and timestamp from the header so they can be used to construct a new payload. If you're using JavaScript, it could look something like this:

const [rawSign, rawEnv, rawTimestamp] = signature.split(", ");
const sign = rawSign.replace("sign=", "");
const EnvironmentName = rawEnv.replace("env=", "");
const Timestamp = parseInt(rawTimestamp.replace("t=", ""));

Step 2: Prepare the payload string

You'll next need to create a string of the payload that will be hashed, using the request body. If you're using JavaScript, it could look something like:

let payload = JSON.stringify({
Body: JSON.stringify(body),
EnvironmentName,
TimeStamp: Timestamp,
});

Step 3: Generate the signature

If you're using JavaScript, it could look something like:

const { createHmac } = require("crypto");
const hash = createHmac("sha256", secret).update(payload).digest("base64");

Step 4: Compare the signatures match!

All that's left to do is compare that the sign= value and hash match. If you're using JavaScript, this may look something like:

const isValid = sign === hash

That's it! You can then decide whether or not you want to continue executing the webhook code based on the result of isValid.

Learn more about validating webhooks.

Blog Author

Jamie Barton

Jamie Barton

Jamie is a software engineer turned developer advocate. Born and bred in North East England, he loves learning and teaching others through video and written tutorials. Jamie currently publishes Weekly GraphQL Screencasts.

Share with others

Sign up for our newsletter!

Be the first to know about releases and industry news and insights.