Examples

Verify webhook signatures

HMAC verification.

Overview

Verify HMAC-SHA256 signatures on incoming Zof webhook payloads before processing run.completed or remediation events. Prevents forged callbacks from blocking pipelines or creating false Jira tickets.

Who should read this

  • QA engineers, SREs, platform teams, and developers operating Zof Console and APIs.

Prerequisites

  • Organization API key or authenticated CLI
  • Staging environment for safe experimentation

When to use this workflow

  • Onboarding new team members to Zof terminology and workflows
  • Authoring internal runbooks aligned with Console labels
  • Designing CI/CD or webhook integrations against documented behavior

Step-by-step procedure

Prepare environment

Store ZOF_API_KEY in CI secrets or local env.

Confirm target project and suite IDs in Console.

Apply pattern

Copy example configuration into your pipeline or service.

Adjust environment names and notification channels.

Validate

Run once manually before enforcing gates.

Capture run ID in runbook for support reference.

Key concepts

Organization scope
All Zof Console and API operations are isolated to your authenticated tenant.
Governed execution
Agent output and remediation follow policy packs with human approval when configured.

Best practices

  • Use raw request body for HMAC, not re-serialized JSON
  • Rotate signing secrets via Admin Center without changing endpoint URL
  • Return 2xx only after idempotent event handling completes

Example implementation

import crypto from 'crypto';
export function verifyZofSignature(rawBody, signature, secret) {
  const expected = crypto.createHmac('sha256', secret).update(rawBody).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}

Was this page helpful?

01Zof Console

Isang surface para sa posture, operasyon, at kung ano ang kailangang asikasuhin susunod.

Ang authenticated na home na binubuksan araw-araw ng mga team ng engineering, QA, at SRE: quality posture, mga in-flight na run, coverage ayon sa module, at kung ano ang dapat asikasuhin susunod.

OPERATIONAL KPIs

  • Mga Run
  • Coverage
  • Panganib

Live sa bawat environment na sini-ship mo.

WORK SPINE

  • Specs
  • Tests
  • Schedules

Mula sa specification hanggang scheduled regression.

GUARDRAILS

  • RBAC
  • SSO
  • audit

Bawat aksyon ay maiuugnay sa pinangalanang tao.

LIVE/console
Zof AI home command center na nagpapakita ng 12 run sa 94% pass, 3 bukas na kritikal na isyu, 84% coverage, apat na module traceability bar, ang specification pipeline, mga paparating na iskedyul, at mga inirerekomendang susunod na aksyon na may active-runs sidebar.
Home view · Checkout Service · Staging · captured live from the product.
  • 01 · RUNS · 24H

    94% pass

    12 runs across staging

  • 02 · COVERAGE

    84%

    Across four modules

  • 03 · ACTIVE RUNS

    3 running

    Live on this branch

  • 04 · NEXT ACTIONS

    Recommended

    Triage gaps, new spec

Verify webhook signatures | Zof AI Documentation