Webhook Middleware

SingleForm provides official middleware libraries for verifying webhook signatures. Each library handles HMAC-SHA256 signature verification, timestamp validation, and provides response helpers — so you don’t have to implement the security protocol manually.

All libraries share the same verification logic:

Extract the 4 signed headers from each request
Validate the timestamp is within the tolerance window (default: 5 minutes)
Reconstruct the payload: {formId}.{timestamp}.{nonce}
Compute HMAC-SHA256 and compare using a timing-safe function
Attach verified metadata to the request for your handler

Available Libraries

Express (Node.js)Python Ruby / Rails

Choosing a Library

Library	Package	Frameworks
Express	`@singleform/express-webhook`	Express 4/5
Python	`singleform-webhook`	Flask, Django, FastAPI, or any WSGI/ASGI app
Ruby / Rails	`singleform_webhook`	Rails, Sinatra, or any Rack app

Using a different language? See Integration Examples for manual verification code you can adapt to any framework.

What Every Library Provides

Signature verification — HMAC-SHA256 with timing-safe comparison
Replay protection — configurable timestamp tolerance (default 300 seconds)
Request metadata — form ID, timestamp, nonce, and signature attached to the request
Response helpers — success(), error(), and validationError() functions that return the correct JSON format
Error types — MISSING_HEADERS, INVALID_TIMESTAMP, TIMESTAMP_EXPIRED, SIGNATURE_MISMATCH