Skip to main content
Slack signs each request with an HMAC-SHA256 over the basestring v0:{timestamp}:{body}, sent as X-Slack-Signature: v0=<hex> alongside X-Slack-Request-Timestamp. Register the signing secret and webhook.co verifies every request — and answers Slack’s setup handshake for you.

Get the signing secret

In your Slack app config at api.slack.com/apps, open Basic Information → App Credentials and copy the Signing Secret.

Register it on your endpoint

printf %s "$SLACK_SIGNING_SECRET" | wbhk endpoints add-provider-secret <endpoint-id> \
  --provider slack
curl https://api.webhook.co/v1/endpoints/<endpoint-id>/provider-secrets \
  -H "Authorization: Bearer $WEBHOOK_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"provider":"slack","secret":"your_signing_secret"}'
await webhook.providerSecrets.add({
  endpointId,
  provider: "slack",
  secret: process.env.SLACK_SIGNING_SECRET!,
});

The url_verification handshake

When you save an ingest URL in Slack’s Event Subscriptions, Slack POSTs a url_verification challenge. webhook.co detects it and echoes the challenge value automatically — no configuration, and the challenge is never captured as an event. Slack signs the timestamp, so webhook.co enforces a 5-minute replay window on real events.

Confirm

wbhk events list <endpoint-id> --status verified