Verify DocuSign Webhook Signatures
DocuSign Connect signs each webhook with HMAC-SHA256 over the exact raw payload bytes, base64-encodes the digest and sends it in the X-DocuSign-Signature-1 header (with -2, -3… when several HMAC keys are active). Paste the raw body, your Connect HMAC key and the header value below.
Everything runs in your browser — the payload and secret never leave this page. Want to verify a different provider? See the webhook signature verifier hub or the generic HMAC generator.
How DocuSign signs webhooks
- Enable HMAC security on your Connect configuration and store the generated key — DocuSign shows it only once.
- On each delivery, read
X-DocuSign-Signature-1(one header per active key:-2,-3… up to 100). - Compute HMAC-SHA256 of the raw request body using the key, then base64-encode the digest.
- Compare against the header with a constant-time check. A match against any active key's header authenticates the delivery.
Verify DocuSign signatures in code
const crypto = require('crypto');
// payload must be the RAW request body bytes DocuSign sent.
function isValidDocuSignWebhook(payload, signature, hmacKey) {
const expected = crypto
.createHmac('sha256', hmacKey)
.update(payload)
.digest('base64');
return crypto.timingSafeEqual(
Buffer.from(expected), Buffer.from(signature));
}
const ok = isValidDocuSignWebhook(
rawBody,
req.headers['x-docusign-signature-1'],
process.env.DOCUSIGN_HMAC_KEY);import base64, hashlib, hmac
def is_valid_docusign_webhook(payload: bytes, signature: str,
hmac_key: str) -> bool:
digest = hmac.new(hmac_key.encode(), payload,
hashlib.sha256).digest()
expected = base64.b64encode(digest).decode()
return hmac.compare_digest(expected, signature)Frequently asked questions
Are DocuSign Connect webhooks signed by default?
No. Until you enable HMAC on the Connect configuration and add at least one key, deliveries carry no X-DocuSign-Signature-* headers. Enable it in the eSignature admin under Connect → your configuration.
Why are there multiple X-DocuSign-Signature-N headers?
One per active HMAC key (up to 100), which lets you rotate keys with zero downtime: verify against each active key and accept if any matches.
Does DocuSign retry failed webhook deliveries?
Yes, aggressively — Connect keeps retrying for around 24 hours with growing intervals. We have observed envelopes arriving with retryCount above 20, so make your handler idempotent and return 2xx quickly.
Verify other providers
Receiving DocuSign webhooks on a server behind a firewall or on localhost? Webhook Relay can forward them to your internal service and even verify or transform them before delivery.
