# Security

## **Overview**

EnGenius Cloud Webhooks use multiple security mechanisms to help ensure that webhook requests are **securely transmitted** and can be verified by the **receiving** webhook server.

The webhook security model includes:

* **Transport Security (HTTPS / TLS)**
* **Signature Verification (HMAC-SHA256)**

These mechanisms help protect webhook communications against interception, message tampering, and replay attacks.

## **Transport Security (HTTPS / TLS 1.2 or above)**

All webhook requests are delivered using **HTTPS POST with TLS 1.2 or above** to ensure **encrypted** communication between EnGenius Cloud and the webhook server during transmission.

Webhook servers must use a T**LS-enabled HTTPS URL** hosted on a public server with a valid SSL certificate.

## **Signature Verification (HMAC-SHA256)**

EnGenius Cloud supports optional **HMAC-SHA256 signature verification** for webhook requests.

Administrators can configure a **Shared Secret** for each webhook server. When enabled, EnGenius Cloud generates a signature and includes verification information in the HTTP request headers.

This mechanism allows the receiving server to verify:

* The request was generated using the configured Shared Secret

The webhook payload was not modified during transmission

### **HMAC-SHA256 Signature Flow**

The following diagram illustrates the **HMAC-SHA256** signature generation and verification flow used by EnGenius Cloud webhook requests.

<figure><img src="/files/MyBbfzdxNITv2AKfvifX" alt=""><figcaption><p>Wenhook HMAC-SHA256 Signature Flow</p></figcaption></figure>

When signature verification is enabled, EnGenius Cloud includes the following **HTTP headers** in webhook requests:

| HTTP Header            | Description           |
| ---------------------- | --------------------- |
| `X-EnGenius-Timestamp` | Request timestamp     |
| `X-EnGenius-Signature` | HMAC-SHA256 signature |

EnGenius Cloud generates the signature using the following process:

1. Create the signing message using:

   `message = X-EnGenius-Timestamp + raw webhook request body`
2. Generates a signature using the **configured Shared Secret** and t**he HMAC-SHA256 algorithm**.\
   `signature = HMAC_SHA256(shared_secret, message)`
3. Include the generated signature in the X-EnGenius-Signature HTTP header

The receiving server should use the same Shared Secret, together with the received timestamp **(X-EnGenius-Timestamp)** and raw request body, to regenerate and verify the signature.\
If the generated signature matches the received signature value, the webhook request can be considered authentic and unmodified.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://doc.engenius.ai/webhook/security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.