Signed Webhooks

Signed webhooks are now available for Forminit webhooks.

You can now verify that incoming webhook requests were sent by Forminit before your server processes the payload. This adds an extra security layer for teams that connect Forminit submissions to internal tools, CRMs, databases, queues, or custom backend workflows.

New

• Signed Webhooks: Forminit can now sign webhook requests with an HMAC-SHA256 signature
• Signing Secret: Each webhook has a private whsec_... secret that you can store in your application
• Verification Headers: Webhook requests include Forminit-Webhook-Id, Forminit-Webhook-Timestamp, and Forminit-Webhook-Signature
• Replay Protection: Your server can reject old webhook requests by checking the timestamp
• Idempotency: Use Forminit-Webhook-Id to avoid processing the same webhook event more than once
• Secret Regeneration: Regenerate the signing secret from your webhook settings when needed

Improved

• Test webhooks are signed using the same mechanism as production webhooks
• Existing webhook endpoints can continue working without signature verification
• Signed webhooks are optional, so you can enable verification only where you need it

Signed webhooks are useful when your webhook endpoint triggers important backend actions, such as updating customer records, creating support tickets, syncing data, or starting internal workflows.

You can find setup instructions and code examples for Node.js, Express, Next.js, Laravel, Python Flask, and Cloudflare Workers in the Webhooks documentation.