Securing webhook endpoints

Dash uses provider-defined header authentication for webhooks. You pick the header name and secret; Dash sends them on every POST so you can verify the call originated from us.

The Authentication header pair

In the Portal, set:

Authentication Keystring

The HTTP header name Dash will use, e.g. X-Dash-Signature or X-Webhook-Token.

Authentication Valuestring

A high-entropy secret only you and Dash know. Treat it like a password.

Verifying in your handler

Compare the incoming header against your stored secret with a constant-time check, and reject mismatches with a non-2xx status so Dash treats it as a delivery failure.

Node.js (Express handler)
Test locally

import crypto from "crypto";

const EXPECTED = process.env.DASH_WEBHOOK_SECRET;

app.post("/dash-webhook", express.json(), (req, res) => {
  const got = req.get("X-Dash-Signature") ?? "";
  const ok  = got.length === EXPECTED.length &&
    crypto.timingSafeEqual(Buffer.from(got), Buffer.from(EXPECTED));

  if (!ok) return res.status(401).json({ error: "bad signature" });

  // process req.body — keyed by req.body.deliveryID + req.body.status
  res.status(200).end();
});

# Simulate a Dash webhook hitting your endpoint
curl http://localhost:3000/dash-webhook \
  -H "X-Dash-Signature: $DASH_WEBHOOK_SECRET" \
  -H "Content-Type: application/json" \
  -d '{ "deliveryID": "DE-TEST", "status": "ALLOCATING" }'

Always return 2xx within a few seconds. Slow responses risk triggering the retry loop and producing duplicate events — dedupe by deliveryID + status + updatedAt.

The Authentication header pair​

Verifying in your handler​

The Authentication header pair

Verifying in your handler