The Mux Developer Hub

Welcome to the Mux developer hub. You'll find comprehensive guides and documentation to help you start working with Mux as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started

Webhook Security

You have the option to verify webhook requests that Mux sends to your endpoints. Mux will include a signature in the request's mux-signature header. You can use this signature in your code to make sure the request was sent by Mux and not a third party.

First, you will need your webhook's signing secret. You can find that where you configure webhooks on the webhooks settings page. Note that the signing secret is different for each url we notify.

Verifying Signatures With Our SDKs

You can verify webhook signatures using our official SDKs for Node and Elixir. Visit these SDKs for detailed documentation.

Verifying Signatures Manually

You can also verify the signature manually, if you do not use one of the above SDKs. The mux-signature header contains the timestamp and a signature. The timestamp is prefixed by t=, and the signature is prefixed by a scheme. Schemes start with v, followed by an integer. Currently, the only valid signature scheme is v1. Mux generates signatures using HMAC with SHA-256

Mux-Signature: t=1565220904,v1=20c75c1180c701ee8a796e81507cfd5c932fc17cf63a4a55566fd38da3a2d3d2

Step 1: Extract the timestamp and signature

Split the header at the , character and get the values for t (timestamp) and v1 (the signature)

Step 2: Prepare the signed_payload string

You will need:

  • the timestamp from Step 1 as a string (for example: "1565220904")
  • the dot character .
  • the raw request body (this will be JSON in a string format)

Step 3: Determine the expected signature

Use the 3 components from Step 2 to compute an HMAC with the SHA256 hash function. Depending on the language that you are using this will look something like the following:

secret = // your signing secret
payload = timestamp + "." + request_body
expected_signature = createHmacSha256(payload, secret)

Step 4: Compare signature

Compare the signature in the header to the expected signature. If the signature matches, compute the difference between the current timestamp and the received timestamp, and decide if the difference is within our tolerance. By default our SDKs allow a tolerance of 5 minutes.

Updated about a year ago

Webhook Security

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.