Secure your webhooks

Once you’ve created webhooks from the dashboard, please keep in mind you need to secure them, in order to avoid any vulnerability in your system.

Whitelist our IP address

The first thing to do is to whitelist our IP addresses to make sure nobody else than us can call your urls. We will always call your callback URL from the same IP addresses:

Test environment :


Production environment :



Use the X-Forwarded-For header to get the source IP.

Use the provided secret to check the signatures

Webhooks Signature

When a webhook is created, a secret is automatically generated for all your application. This secret will be used to sign every event that will be sent to your endpoint. You can find the secret on your developer portal.

Check the webhook signatures

Check the events that we send to your webhook endpoints. We sign the events by including a signature in each event's x-lifen-platform-signature header. This allows you to verify that the events were sent by Lifen, not by a third party.


x-lifen-platform-signature: 9b329e633efebd025273e6b539a59a57ad954c90a8fdea4e8e070430d2de4880

We generate signatures using a hash-based message authentication code (HMAC) with SHA-256.

Step 1: Extract the signatures from the header

Step 2: Determine the expected signature - Compute an HMAC with the SHA256 hash function. Use the endpoint’s signing secret as the key, and use the received event, in the string format, as the message.

Step 3: Compare the signatures - Compare the signature (or signatures) in the header to the expected signature.

Signature verification: examples

In the following examples, SECRET is the secret of your signature and PAYLOAD is the whole body sent by the webhook. If you try these examples with the following values:

SECRET = “644b2ac3-0797-4ec6-9537-cb5c0af9caf9”
    "notification-uuid": "776b3f5d-a942-492c-9ea7-2e5aa88cb564",
    "events" : [{ 
      "event-details": {
        "new-patient": "Patient/22908770",
        "old-patient": "Patient/34535354"
        "event-uuid": "766b2f5d-a942-492c-9ea7-2e5aa88cb673", 
      "timestamp": "2020-03-18T16:03:38.000+00:00"

You should obtain :  FAA8ECAC21DA6405D789C76EDB4003756398E7169DACC3FA70CF5919A81374A8

See this code example to get this result:

var crypto = require('crypto');
var hash = crypto.createHmac('SHA256', SECRET).update(PAYLOAD).digest('hex');