Documentation Index
Fetch the complete documentation index at: https://docs.clear-box.io/llms.txt
Use this file to discover all available pages before exploring further.
Every ClearBox webhook includes a signature header so you can confirm it came from ClearBox and was not tampered with.
ClearBox-Signature: t=1716912000,v1=<hex_signature>
v1 as an HMAC-SHA256 of {timestamp}.{raw_body} using your endpoint’s signing secret (found in the Dashboard).
Verify in Node.js
import crypto from "crypto";
function verify(rawBody, header, secret) {
const parts = Object.fromEntries(
header.split(",").map((kv) => kv.split("="))
);
const signed = `${parts.t}.${rawBody}`;
const expected = crypto
.createHmac("sha256", secret)
.update(signed)
.digest("hex");
return crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(parts.v1)
);
}
Compare signatures with a constant-time function (e.g. crypto.timingSafeEqual) and reject events whose timestamp is too old to prevent replay attacks. Use the raw request body — not a re-serialized object — when computing the signature.
