Skip to content

Validate webhooks

We will send webhooks for real-time updates, for example, whenever an item sells. This is so you can react quickly and update your inventory and other platforms that the item is no longer available.

The webhook will be sent to the URL you provide us. We don't have a portal to manage these webhooks yet, so please let us know the URL and whenever you want to change it.

Securing the webhook endpoint

We recommend you check that the webhook you're receiving on your endpoint was actually triggered by depop.

To validate that the webhook came from us, you can use the X-Depop-Signature header. This header contains a HMAC-SHA256 signature of the timestamp and body of the request, separated by a dot: <timestamp>.<body>. The timestamp is the number of seconds since the Unix epoch (1970-01-01T00:00:00Z). The signature is calculated using the secret we have provided you with, which is different to your API key.

You can calculate the signature using the following Python code:

import hmac
import hashlib
import time

def validate_webhook_signature(timestamp, body, signature, secret):
    expected_signature = hmac.new(
        secret.encode('utf-8'),
        f'{timestamp}.{body}'.encode('utf-8'),
        hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(expected_signature, signature)

You should compare the signature you calculate with the value of the X-Depop-Signature header. If they match, you can be confident that the webhook came from us.

Use the raw request body for signature validation

The signature is computed over the exact bytes we send. If your web framework parses and re-serializes the JSON body, differences in whitespace, key ordering, or escaping will cause a signature mismatch. Always compute the HMAC over the original, unmodified request body.

We also send the timestamp in the X-Depop-Timestamp header, which you can use to check the age of the request. Determine if the current time and timestamp is within a reasonable time frame for you to process the webhook. This will help protect you against replay attacks.

To protect against possible timing attacks, you should use a constant-time string comparison function.