DocuSign logo

Verify DocuSign Webhook Signatures

DocuSign Connect signs each webhook with HMAC-SHA256 over the exact raw payload bytes, base64-encodes the digest and sends it in the X-DocuSign-Signature-1 header (with -2, -3… when several HMAC keys are active). Paste the raw body, your Connect HMAC key and the header value below.

Paste the X-DocuSign-Signature-1 value above to compare

Everything runs in your browser — the payload and secret never leave this page. Want to verify a different provider? See the webhook signature verifier hub or the generic HMAC generator.

How DocuSign signs webhooks

  1. Enable HMAC security on your Connect configuration and store the generated key — DocuSign shows it only once.
  2. On each delivery, read X-DocuSign-Signature-1 (one header per active key: -2, -3… up to 100).
  3. Compute HMAC-SHA256 of the raw request body using the key, then base64-encode the digest.
  4. Compare against the header with a constant-time check. A match against any active key's header authenticates the delivery.

Verify DocuSign signatures in code

Node.js
const crypto = require('crypto');

// payload must be the RAW request body bytes DocuSign sent.
function isValidDocuSignWebhook(payload, signature, hmacKey) {
  const expected = crypto
    .createHmac('sha256', hmacKey)
    .update(payload)
    .digest('base64');
  return crypto.timingSafeEqual(
    Buffer.from(expected), Buffer.from(signature));
}

const ok = isValidDocuSignWebhook(
  rawBody,
  req.headers['x-docusign-signature-1'],
  process.env.DOCUSIGN_HMAC_KEY);
Python
import base64, hashlib, hmac

def is_valid_docusign_webhook(payload: bytes, signature: str,
                              hmac_key: str) -> bool:
    digest = hmac.new(hmac_key.encode(), payload,
                      hashlib.sha256).digest()
    expected = base64.b64encode(digest).decode()
    return hmac.compare_digest(expected, signature)

Frequently asked questions

Are DocuSign Connect webhooks signed by default?

No. Until you enable HMAC on the Connect configuration and add at least one key, deliveries carry no X-DocuSign-Signature-* headers. Enable it in the eSignature admin under Connect → your configuration.

Why are there multiple X-DocuSign-Signature-N headers?

One per active HMAC key (up to 100), which lets you rotate keys with zero downtime: verify against each active key and accept if any matches.

Does DocuSign retry failed webhook deliveries?

Yes, aggressively — Connect keeps retrying for around 24 hours with growing intervals. We have observed envelopes arriving with retryCount above 20, so make your handler idempotent and return 2xx quickly.