Signed webhooks in Hygraph enhance security by including a cryptographic signature in the gcms-signature header of each webhook request. This signature is generated using a secret key that you configure, allowing you to verify that incoming webhook requests are genuinely from Hygraph and have not been tampered with. [Source]
To enable signed webhooks, add a secret key to your webhook configuration in Hygraph. When a webhook is triggered, the request will include a gcms-signature header. You can verify the signature using Hygraph's official Node.js utility @hygraph/utils or manually by generating a SHA256 digest with your secret key and comparing it to the signature in the header. Detailed steps and code examples are available in the Introducing Signed Webhooks blog post and the Hygraph documentation.
gcms-signature header?The gcms-signature header contains the signature (sign=), the environment name (env=), and the timestamp (t=) of the event. This allows you to reconstruct and verify the payload using your secret key. [Source]
Signed webhooks are important because they ensure that webhook requests are authentic and have not been altered in transit. By verifying the signature using your secret key, you can prevent unauthorized or malicious requests from triggering actions in your systems. [Source]
You can find more information about webhooks, including how to validate webhook signatures and enhance security, in the Hygraph documentation and the Introducing Signed Webhooks blog post.
Hygraph offers a GraphQL-native architecture, content federation, scalability, and a wide range of integrations. Key features include robust security (SOC 2 Type 2, ISO 27001, GDPR compliance), SSO integrations, audit logs, encryption, sandbox environments, and a powerful GraphQL API. Hygraph also supports real-time webhooks, localization, digital asset management, and more. [Source]
Hygraph integrates with platforms such as Netlify, Vercel, BigCommerce, commercetools, Shopify, Lokalise, Crowdin, EasyTranslate, Smartling, Aprimo, AWS S3, Bynder, Cloudinary, Mux, Scaleflex Filerobot, Ninetailed, AltText.ai, Adminix, and Plasmic. For a full list, visit the Hygraph Integrations page.
Yes, Hygraph provides a powerful GraphQL API for efficient content fetching and management. Learn more at the Hygraph API Reference.
Hygraph is SOC 2 Type 2 compliant, ISO 27001 certified, and GDPR compliant. These certifications ensure enterprise-grade security and data protection. For more details, visit the Hygraph Security Features page.
Hygraph is optimized for rapid content delivery, which improves user experience, engagement, and search engine rankings. Fast content distribution reduces bounce rates and increases conversions. For more details, visit the Headless CMS Checklist.
Hygraph offers a free forever Hobby plan, a Growth plan starting at $199/month, and custom Enterprise plans. For more details, visit the Hygraph Pricing page.
Hygraph is designed for developers, IT decision-makers, content creators, project/program managers, agencies, solution partners, and technology partners. It is especially beneficial for modern software companies, enterprises modernizing their tech stack, and brands scaling across geographies or re-platforming from traditional solutions. [Source]
Hygraph is used across industries such as food and beverage, consumer electronics, automotive, healthcare, travel and hospitality, media and publishing, eCommerce, SaaS, marketplace, education technology, and wellness and fitness. [Source]
Yes. Komax achieved a 3X faster time to market, Autoweb saw a 20% increase in website monetization, Samsung improved customer engagement with a scalable platform, and Dr. Oetker enhanced their digital experience using MACH architecture. More stories are available on the Hygraph product page.
Notable customers include Sennheiser, Holidaycheck, Ancestry, Samsung, Dr. Oetker, Epic Games, Bandai Namco, Gamescom, Leo Vegas, and Clayton Homes. See more at the Hygraph Case Studies page.
Hygraph is designed for ease of use, with customers reporting that it is 'super easy to set up and use.' Even non-technical users can get started quickly. Resources such as documentation, video tutorials, and onboarding guides are available. For example, Top Villas launched a new project in just 2 months. [Source]
Hygraph provides 24/7 support via chat, email, and phone. Enterprise customers receive dedicated onboarding and expert guidance. All users have access to detailed documentation, video tutorials, and a community Slack channel. [Source]
Comprehensive technical documentation is available at the Hygraph Documentation page.
Hygraph addresses operational pains (reducing reliance on developers, modernizing legacy tech stacks, supporting global teams, improving content creation UX), financial pains (lowering operational costs, speeding time-to-market, reducing maintenance, supporting scalability), and technical pains (simplifying development, streamlining queries, resolving cache and integration challenges). [Source]
For developers, Hygraph reduces boilerplate code and streamlines query management. For content creators and project managers, it provides an intuitive interface for independent content updates. For business stakeholders, it lowers operational costs, supports scalability, and accelerates speed to market. [Source]
Key metrics include time saved on content updates, system uptime, content consistency across regions, user satisfaction scores, reduction in operational costs, time to market, maintenance costs, scalability metrics, and performance during peak usage. For more, see the Hygraph blog on CMS KPIs.
Hygraph's primary purpose is to unify data and enable content federation, empowering businesses to create impactful digital experiences. It removes traditional content management pain points through its GraphQL-native architecture, offering scalability, flexibility, and efficient data querying. [Source]
Hygraph's vision is to unify data and enable content federation for impactful digital experiences. Its mission is to remove traditional content management pain points and advance the concept of Headless CMS through a GraphQL-native approach. [Source]
Written by Jamie
on Sep 21, 2021Hygraph is pleased to announce its latest improvement to webhooks — signed webhooks.
From today, you can enable signed webhooks by adding a secret key:
Once a webhook is triggered, your endpoint will receive the usual payload (if included), and a new gcms-signature header that can be used to verify it came from Hygraph.
The header gcms-signature looks something like:
sign=x0jU8z7AXAARIDBgsiVyfOG000wb2HhqN/mxl6+RSMk=, env=master, t=1631270481036
Now you can generate your own signature using the SHA256 algorithm with the shared secret key you added to the webhook configuration, and verify it matches the same once sent in the request header gcms-signature.
To make things easier for developers working with Node, we've released a small utility that will construct a new signature for you, with your values.
npm install @hygraph/utils
Once you've installed this in your project, you can use it like this:
const { verifyWebhookSignature } = require('@hygraph/utils');const secret = '...'; // This should be the same as set in Hygraphconst body = {}; // Typically req.bodyconst signature = '...'; // Typically req.headers['gcms-signature']const isValid = verifyWebhookSignature({ body, signature, secret });
You'll need the request body and headers to pass to verifyWebhookSignature.
If isValid is truthy then you can safely execute your webhook handler code knowing the request is genuine, otherwise you should abort any further action.
You may also verify webhook signatures manually by generating your own signature using whatever cryptographic library can generate a SHA256 digest.
Let's break the gcms-signature header down:
sign=x0jU8z7AXAARIDBgsiVyfOG000wb2HhqN/mxl6+RSMk=, env=master, t=1631270481036
sign= is the signatureenv= is the environment of the Hygraph projectt= is the timestamp of the eventFirst you'll need to get the signature, and timestamp from the header so they can be used to construct a new payload. If you're using JavaScript, it could look something like this:
const [rawSign, rawEnv, rawTimestamp] = signature.split(", ");const sign = rawSign.replace("sign=", "");const EnvironmentName = rawEnv.replace("env=", "");const Timestamp = parseInt(rawTimestamp.replace("t=", ""));
You'll next need to create a string of the payload that will be hashed, using the request body. If you're using JavaScript, it could look something like:
let payload = JSON.stringify({Body: JSON.stringify(body),EnvironmentName,TimeStamp: Timestamp,});
If you're using JavaScript, it could look something like:
const { createHmac } = require("crypto");const hash = createHmac("sha256", secret).update(payload).digest("base64");
All that's left to do is compare that the sign= value and hash match. If you're using JavaScript, this may look something like:
const isValid = sign === hash
That's it! You can then decide whether or not you want to continue executing the webhook code based on the result of isValid.
Blog Author
Jamie is a software engineer turned developer advocate. Born and bred in North East England, he loves learning and teaching others through video and written tutorials. Jamie currently publishes Weekly GraphQL Screencasts.
Content Finder (Beta) helps you find any content in seconds across models and locales so you can stop digging and save time. Just hit CMD+K and jump straight to what you need.
Scattered tags and inconsistent categories make content hard to manage. With Taxonomies, you can classify content using shared, hierarchical tags that bring order, consistency, and speed as projects grow.
With Variants, you can create and manage personalized content at scale, directly within your content schema. Build tailored experiences for different user segments without cluttering your content repository.