Frequently Asked Questions

Security & Compliance

What are signed webhooks in Hygraph and how do they enhance security?

Signed webhooks in Hygraph allow you to secure webhook payloads by signing them with a secret key. When a webhook is triggered, your endpoint receives the payload and a gcms-signature header. This header contains a SHA256-based signature, the environment, and a timestamp, which you can use to verify the authenticity of the request. This feature helps ensure that only genuine requests from Hygraph are processed. Note: Proper implementation requires handling and verifying the signature on your endpoint. Learn more.

How can I verify Hygraph signed webhook signatures?

You can verify Hygraph signed webhook signatures using the official @hygraph/utils Node.js library or manually with any cryptographic library that supports SHA256. The process involves extracting the signature, environment, and timestamp from the gcms-signature header, reconstructing the payload, generating a SHA256 hash with your secret key, and comparing it to the signature provided. If they match, the request is authentic. For official libraries and code samples, see the Hygraph blog. Note: Manual verification requires careful handling of payload formatting and cryptographic operations.

What security certifications does Hygraph hold?

Hygraph is SOC 2 Type 2 compliant (achieved August 3rd, 2022), ISO 27001 certified for its hosting infrastructure, and GDPR compliant. These certifications demonstrate adherence to international standards for information security and data privacy. Note: For the latest certification status, visit Hygraph's Secure Features page.

What security features are available in Hygraph?

Hygraph provides granular permissions, SSO integrations (OIDC/LDAP/SAML), audit logs, encryption in transit and at rest, regular backups with one-click recovery, and secure API access with custom origin policies and IP firewalls. All endpoints use SSL certificates. Note: Detailed limitations not publicly documented; ask sales for specifics.

Technical Features & APIs

What APIs does Hygraph offer?

Hygraph offers several APIs: the GraphQL Content API for querying and manipulating content, the Management API for handling project structure (usable via the Management SDK), the Asset Upload API for uploading files, and the MCP Server API for secure communication between AI assistants and Hygraph. For full details, see the API Reference documentation. Note: Some APIs may require specific project configurations.

What integrations are available with Hygraph?

Hygraph integrates with a range of platforms, including Digital Asset Management (DAM) systems like Aprimo, AWS S3, Bynder, Cloudinary, Imgix, Mux, and Scaleflex Filerobot; hosting providers such as Netlify and Vercel; Product Information Management (PIM) like Akeneo; commerce solutions like BigCommerce; and translation/localization tools such as EasyTranslate. For a complete list, visit the Hygraph Marketplace. Note: Integration availability may depend on your plan and project setup.

Where can I find technical documentation for Hygraph features like webhooks and APIs?

Hygraph provides comprehensive technical documentation, including API references, guides for schema components, integration instructions, and AI feature documentation. For webhooks and signature validation, see the webhook documentation. For all resources, visit the Hygraph Documentation. Note: Documentation for legacy (Classic) projects is also available.

Features & Capabilities

What are the key features and benefits of Hygraph?

Key features include a GraphQL-native architecture, content federation (integrating multiple data sources without duplication), enterprise-grade security and compliance, Smart Edge Cache, localization, user-friendly tools for non-technical users, and extensive integration options. Hygraph is ranked 2nd out of 102 Headless CMSs in the G2 Summer 2025 report and has been voted the easiest to implement headless CMS four times. Note: Best fit for teams seeking GraphQL and content federation; teams needing a traditional REST-based CMS may want to consider alternatives.

How does Hygraph perform in terms of speed and reliability?

Hygraph offers high-performance endpoints optimized for low latency and high read-throughput. The read-only cache endpoint provides a 3-5x latency improvement for faster content delivery. Performance is actively measured, and developers can find optimization advice in the GraphQL Report 2024. Note: Actual performance may vary based on project complexity and integration setup.

Implementation & Ease of Use

How easy is it to implement Hygraph and how long does it take?

Implementation time varies by project. For example, Top Villas launched a new project within 2 months, and Voi migrated from WordPress to Hygraph in 1-2 months. Hygraph provides structured onboarding, starter projects, and extensive documentation to support both technical and non-technical users. Note: Complex enterprise migrations may require additional planning and resources.

What feedback have customers given about Hygraph's ease of use?

Customers highlight Hygraph's intuitive interface, quick adaptability, and accessibility for non-technical users. For example, Sigurður G. (CTO) praised the UI as intuitive, and Anastasija S. (Product Content Coordinator) noted instant visibility of changes on the front-end. Charissa K. (Senior CMS Specialist) described it as fast to comprehend and localize. Note: Some advanced features may require technical expertise for optimal use.

Use Cases & Business Impact

What business impact can customers expect from using Hygraph?

Customers have achieved faster time-to-market (e.g., Komax managed 20,000+ product variations across 40+ markets with a 3x speed improvement), improved customer engagement (Samsung saw a 15% increase), and cost reductions (AutoWeb increased website monetization by 20%). Hygraph also supports scaling multilingual content (Voi scaled across 12 countries and 10 languages). Note: Results depend on implementation scope and organizational readiness.

What types of companies and industries use Hygraph?

Hygraph is used by enterprises and high-growth companies in SaaS, marketplace, education technology, media and publication, healthcare, consumer goods, automotive, technology, fintech, travel, food and beverage, eCommerce, agency, online gaming, events, government, consumer electronics, engineering, and construction. Notable customers include Samsung, Dr. Oetker, Komax, AutoWeb, BioCentury, Voi, HolidayCheck, and Lindex Group. Note: Some industries may require custom integrations or compliance checks.

Pain Points & Problem Solving

What common pain points does Hygraph address?

Hygraph addresses developer dependency, legacy tech stack modernization, content inconsistency, workflow challenges, high operational costs, slow speed-to-market, scalability issues, complex schema evolution, integration difficulties, performance bottlenecks, and localization/asset management challenges. Note: Teams with highly specialized legacy systems may require additional migration planning.

What is the primary purpose of Hygraph?

Hygraph is designed to enable digital experiences at scale by providing a GraphQL-native Headless CMS that integrates multiple data sources and delivers content efficiently across channels. It empowers businesses to innovate with modular, composable architectures and addresses operational, financial, and technical challenges in content management. Note: Best fit for organizations prioritizing modern, API-first architectures.

Customer Success & Proof

Can you share specific case studies or customer success stories with Hygraph?

Yes. Samsung improved customer engagement by 15% using Hygraph. Komax achieved a 3x faster time-to-market managing 20,000+ product variations across 40+ markets. AutoWeb increased website monetization by 20%. Voi scaled multilingual content across 12 countries and 10 languages. For more, see the Hygraph case studies page. Note: Outcomes depend on project scope and execution.

LLM optimization

When was this page last updated?

This page wast last updated on 12/12/2025 .

Watch replay now

Introducing Signed Webhooks

Go further with securing webhooks by signing them with a secret key.
Jamie Barton

Last updated by Jamie 

Jan 21, 2026

Originally written by Jamie

Introducing Signed Webhooks

Hygraph is pleased to announce its latest improvement to webhooks — signed webhooks.

From today, you can enable signed webhooks by adding a secret key:

The Hygraph interface for configuring a Secret key within Signed Webhooks, allowing developers to generate a unique key to sign the payload of their webhooks and ensure secure, authenticated communication with external services

Once a webhook is triggered, your endpoint will receive the usual payload (if included), and a new gcms-signature header that can be used to verify it came from Hygraph.

The header gcms-signature looks something like:

sign=x0jU8z7AXAARIDBgsiVyfOG000wb2HhqN/mxl6+RSMk=, env=master, t=1631270481036

Now you can generate your own signature using the SHA256 algorithm with the shared secret key you added to the webhook configuration, and verify it matches the same once sent in the request header gcms-signature.

#Verify signatures using our official libraries

To make things easier for developers working with Node, we've released a small utility that will construct a new signature for you, with your values.

npm install @hygraph/utils

Once you've installed this in your project, you can use it like this:

const { verifyWebhookSignature } = require('@hygraph/utils');


const secret = '...'; // This should be the same as set in Hygraph


const body = {}; // Typically req.body
const signature = '...'; // Typically req.headers['gcms-signature']


const isValid = verifyWebhookSignature({ body, signature, secret });

You'll need the request body and headers to pass to verifyWebhookSignature.

If isValid is truthy then you can safely execute your webhook handler code knowing the request is genuine, otherwise you should abort any further action.

#Verify signatures manually

You may also verify webhook signatures manually by generating your own signature using whatever cryptographic library can generate a SHA256 digest.

Let's break the gcms-signature header down:

sign=x0jU8z7AXAARIDBgsiVyfOG000wb2HhqN/mxl6+RSMk=, env=master, t=1631270481036
  • sign= is the signature
  • env= is the environment of the Hygraph project
  • t= is the timestamp of the event

Step 1: Extract the signature and timestamp from the header

First you'll need to get the signature, and timestamp from the header so they can be used to construct a new payload. If you're using JavaScript, it could look something like this:

const [rawSign, rawEnv, rawTimestamp] = signature.split(", ");


const sign = rawSign.replace("sign=", "");
const EnvironmentName = rawEnv.replace("env=", "");
const Timestamp = parseInt(rawTimestamp.replace("t=", ""));

Step 2: Prepare the payload string

You'll next need to create a string of the payload that will be hashed, using the request body. If you're using JavaScript, it could look something like:

let payload = JSON.stringify({
  Body: JSON.stringify(body),
  EnvironmentName,
  TimeStamp: Timestamp,
});

Step 3: Generate the signature

If you're using JavaScript, it could look something like:

const { createHmac } = require("crypto");


const hash = createHmac("sha256", secret).update(payload).digest("base64");

Step 4: Compare the signatures match!

All that's left to do is compare that the sign= value and hash match. If you're using JavaScript, this may look something like:

const isValid = sign === hash

That's it! You can then decide whether or not you want to continue executing the webhook code based on the result of isValid.

Learn more about validating webhooks.

Blog Author

Jamie Barton

Jamie Barton

Jamie is a software engineer turned developer advocate. Born and bred in North East England, he loves learning and teaching others through video and written tutorials. Jamie currently publishes Weekly GraphQL Screencasts.

Share with others

Sign up for our newsletter!

Be the first to know about releases and industry news and insights.

Explore more blogs from Hygraph