Help Centre / Developer API & Webhooks
🔐

Verify BOS webhook signatures

Use each webhook signing secret to verify X-BOS-Signature before trusting inbound event payloads in n8n or your app.

Developer API & Webhooks6 min read

Why this matters

When BOS sends an outbound event, the receiving app should confirm that the event really came from BOS and was not changed in between.

Headers BOS sends

  1. X-BOS-Event contains the event name.
  2. X-BOS-Delivery-ID is the unique delivery attempt ID.
  3. X-BOS-Timestamp shows when BOS sent the event.
  4. X-BOS-Signature contains sha256= followed by an HMAC SHA-256 signature.

How to verify

Copy the webhook signing secret when the webhook is created or regenerated. In your app, calculate HMAC SHA-256 using the raw request body and that secret. Compare it with X-BOS-Signature.

Related help

Getting started with Kasaloma BOSSet up company profile and brandingAdd team users and choose rolesDeveloper API monitoring, cleanup and production healthAPI v1 compatibility lock and changelog

Need direct support?

Contact Kasaloma support if you cannot find the answer or your workspace needs checking.

Contact support