Webhook signing and delivery
How to verify webhook signatures, the payload format, retry behavior, and the delivery log.
Outbound webhooks are persisted, signed, and retried with exponential backoff. This page explains the wire format and how to verify the signature on your receiving server.
Payload format
Every submission triggers a POST with the following JSON body. Content
type is application/json.
The data object contains exactly the fields the submitter
filled in — keyed by the field name attribute, not
the visible label.
Headers we send
| Header | Value |
|---|---|
| Content-Type | application/json |
| User-Agent | formbuild.io/1.0 |
X-Formbuild-Signature | HMAC-SHA256 of the raw body, hex-encoded — only sent when a signing secret is configured |
Setting up a signing secret
In your form's settings, on the Integrations tab, expand the Webhooks panel. You'll see a Signing secret control with a Generate button. Click it and copy the 64-character hex string — this is the last time you'll see the full value, so paste it into your server config now.
Verifying the signature on your server
The signature is computed over the raw request body as received — before any JSON parsing or whitespace normalization. Always read the body as bytes/string and compute HMAC-SHA256 with your secret, then compare against the header.