Webhook signature

All requests sent to your webhook endpoints will be signed so that you can verify that traffic coming to your servers is coming from ClickUp.

To sign our requests, we use a hash-based message authentication code, or HMAC.

Each webhook that is created will be provided with a secret which can be found on any of the CRUD webhook endpoints.

When a request is sent to your webhook endpoint a signature will be created by hashing the body of the request that is being sent with the shared secret.

This signature is sent in the X-Signature http header so that the client can verify it was made with the same secret that it has access to.


Signatures will always be digested using hexadecimal.

An example event request sent to a webhook endpoint:

Content-Type: application/json
X-Signature: f7bc83f430538424b13298e6aa6

Here is an example response:

    "webhook_id": "7689a169-a000-4985-8676-6902b96d6627",
    "event": "taskCreated",

The X-Signature value for this request was created by creating a SHA-256 hash of the above request body using the provided secret as a key.

In order for the client to verify the signature, it can create a hash signature using the same algorithm and see if the value matches.

Below is an example using Node.js. You can find examples using other languages here.


The body in this example already exists as a string. If you are using an http client that automatically parses request bodies, you must stringify the object with no white spaces inserted.

.const crypto = require('crypto');

const key = 'secret'; // from the webhook object
const body = '{"webhook_id":"7689a169-a000-4985-8676-6902b96d6627","event":"taskCreated","task_id":"c0j"}';

const hash = crypto.createHmac('sha256', key).update(body);

const signature = hash.digest('hex');