Here is a guide on how to verify Sendstack webhooks:

1. Obtain the signature: When you receive a webhook event, it includes a signature in the x-sendstack-signature header. This signature is generated by computing an HMAC with the SHA256 hash function, using your App Secret as the key, and the JSON payload as the message.

2. Compute your own signature: To verify the authenticity of the webhook event, you need to compute your own signature using the same method as above. You can do this by computing an HMAC with the SHA256 hash function, using your App secret as the key, and the JSON payload as the message.

3. Compare signatures: Once you have computed your own signature, you can compare it to the signature provided in the x-sendstack-signature header. If the two signatures match, then you can be sure that the webhook event was sent by Sendstack and has not been tampered with.

You can use a similar function as displayed below:

const crypto = require('crypto');

function verifySignature(payload, signature, appSecret) {
  const computedSignature = crypto
    .createHmac("sha256", appSecret)
    .update(JSON.stringify(payload))
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(computedSignature)
  );
}