If create a dynamic webhook from REST API:

https://developer.atlassian.com/cloud/jira/platform/rest/v2/api-group-webhooks/#api-rest-api-2-webhook-post

I can set a random secret like:

https://developer.atlassian.com/cloud/jira/platform/webhooks/#registering-a-webhook-using-the-jira-rest-api--other-integrations-

Then the secret will be saved on Atlassian server.

Every time I send event and trigger the webhook, it will post data to my web app. In order to check if it's the identity which I allow, I have to compare the post header and the secret code I set before.

But I can find x-hub-signature header only from incoming data. And each time it changed to a different one.

So how can I handle it correctly?

Here is the example code:

function handleWebhook(req, res) {
  // Retrieve the secret code from the request headers
  const receivedSecret = req.headers['x-hub-signature'];

  // Verify the secret code
  if (receivedSecret === process.env.JIRA_WEBHOOK_SECRET) {
    // Secret code is valid, proceed with handling the webhook payload
    console.log('Received webhook payload:', req.body);

    // Respond with a 200 OK status to acknowledge receipt of the webhook
    res.sendStatus(200);
  } else {
    // Secret code doesn't match, reject the request
    console.error('Invalid secret code');
    res.sendStatus(403); // Forbidden
  }
}