Skip to main content
Verify that every webhook request actually came from Firecrawl by checking its HMAC-SHA256 signature. This stops attackers from spoofing payloads and lets you trust the data before acting on it.

Secret Key

Your webhook secret is available in the Advanced tab of your account settings. Each account has a unique secret used to sign all webhook requests.
Keep your webhook secret secure and never expose it publicly. If you believe your secret has been compromised, regenerate it immediately from your account settings.

Signature Verification

Each webhook request includes an X-Firecrawl-Signature header:

How to Verify

  1. Extract the signature from the X-Firecrawl-Signature header
  2. Get the raw request body (before parsing)
  3. Compute HMAC-SHA256 using your secret key
  4. Compare signatures using a timing-safe function

Implementation

Best Practices

  • Verify every request. Always check the signature before processing a webhook payload. Reject any request that fails verification with a 401 status.
  • Use timing-safe comparisons. Standard string comparison can leak timing information. Use crypto.timingSafeEqual() in Node.js or hmac.compare_digest() in Python.
  • Serve your endpoint over HTTPS. This ensures webhook payloads are encrypted in transit.