Hi everyone,
I'm working with Confluence Cloud and using Automation to send outgoing webhooks to my server whenever a page event occurs.
My problem:
I want to verify that the webhook payload received on my server actually came from Confluence and hasn't been tampered with — similar to how Jira Cloud webhooks work, where Jira signs the payload using HMAC-SHA256 and sends it in the X-Hub-Signature header, generating a unique signature per request based on the payload content.
What I've found so far:
- Confluence Data Center supports HMAC signing natively when you define a secret on the webhook
- Confluence Cloud Automation does NOT seem to have this — there's no secret/signing option when sending a web request via Automation
- I tried using a smart value like
{{webhookData.toJsonString.hmacSha256("my-secret")}} in a custom header but hmacSha256 doesn't appear to be a supported smart value function
What I'm NOT looking for:
A static token in the header like X-Signature: my-secret-token — this is the same value every time and doesn't prove the payload hasn't been tampered with. It only checks the source, not the integrity of each individual request.
What I AM looking for:
A way to dynamically sign each webhook payload from Confluence Cloud Automation, where the signature changes per request based on the payload content — exactly like Jira's HMAC-SHA256 implementation. Either:
- A smart value function that can generate a dynamic HMAC signature (e.g.
hmacSha256("secret")) - A built-in secret/signing option in the Send Web Request action that I may have missed
- Or any workaround others are using to achieve proper payload integrity verification
Any help appreciated. Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.