verifyWebhookSignature()
function verifyWebhookSignature(__namedParameters: VerifyWebhookSignatureArgs): Promise<boolean>;
Verifies a webhook request's HMAC signature.
Todoist signs webhook deliveries with an HMAC-SHA256 of the raw request body
using the app's client_secret as the key, base64-encoded in the
X-Todoist-Hmac-SHA256 header.
Uses the Web Crypto API (crypto.subtle), which is available in Node ≥ 20,
modern browsers, React Native (with polyfills), and edge runtimes. The
comparison is constant-time.
Parameters
| Parameter | Type |
|---|---|
__namedParameters | VerifyWebhookSignatureArgs |
Returns
Promise<boolean>
true when the signature is valid, false otherwise. Never throws
on malformed input.