Get signature secret

By default, SafetyCulture will send a signature with each webhook in the x-safetyculture-signature header.

The signature is generated using HMAC-SHA256, a hash-based message authentication code HMAC used with the SHA-256 hash function and a signature secret. The token provided by this GET endpoint provides the signature secret.

To verify the webhook is sent by SafetyCulture, you will need to generate the HMAC signature and compare it with the x-safetyculture-signature header.

The below example in Golang shows you how to generate the HMAC signature:

import (

// generateSignature creates a hash with the organisation secret token and a webhook payload.
func generateSignature(secret string, payload []byte) string {
    mac := hmac.New(sha256.New, []byte(secret))
    return hex.EncodeToString(mac.Sum(nil))

The secret is the token provided by this endpoint.

The payload is the raw webhook body.

Click Try It! to start a request and see the response here!