All webhooks from the Astra platform include the Astra-Verification header that can be used to verify the validity of a wehook. This header provides a Base64 encoded HMAC hash of the CLIENT_SECRET and the webhook payload using the HMAC-SHA256 hash function.

To verify the authenticity of a webhook, decode the Base64 encoded string and compare this to the HMAC hash computed on your backend server.

#Python example of HMAC verification of the Astra-Verification header:

import base64
import hashlib
import hmac
import os

astra_verification_header = webhook_request.headers.get("Astra-Verification")
decoded_astra_verification_header = base64.b64decode(astra_verification_header)

payload = webhook_request.get_data()
client_secret = bytes(os.environ.get("ASTRA_CLIENT_SECRET"), 'UTF-8')
hmac_obj =, json.dumps(payload).encode(encoding='UTF-8'), digestmod=hashlib.sha256)
hmac_digest = hmac_obj.digest()

if hmac.compare_digest(decoded_astra_verification_header, hmac_digest) is True:
    print("Astra Webhook Verified")
    raise Exception("Astra Webhook not verified!")


The result of the json.dumps(payload) payload (that is passed into the method) includes whitespace after each comma and colon as seen in the example below:

{"webhook_type": "routine_updated", "resource_id": "4816908952010752", "user_id": "93k08a40d032o54f748773f", "webhook_id": "a5df3ed9-00000-0000-96cb-150e3fe3e31d"}