RocketLauncher AI

Glossary

What Is a Ed25519 Signature in GoHighLevel?

By Marnix Geerkens. Published 2026-05-28. Updated 2026-05-28.

An Ed25519 Signature in GoHighLevel is a cryptographic signature appended to outbound webhook requests that lets the receiving server confirm the payload genuinely came from GoHighLevel and was not altered in transit.

In plain English

When GoHighLevel sends an outbound webhook, your receiving server needs a way to know the request is real and not forged by a third party. GoHighLevel uses Ed25519, an elliptic-curve signature algorithm, to sign each webhook payload.

GoHighLevel signs the request body with a private key it keeps secret. It includes the signature in the request headers. Your server then verifies the signature using a public key GoHighLevel publishes. If the signature is valid, the payload is genuine. If it does not match, you reject the request.

This matters in production systems where webhook data triggers real actions: creating records, charging payments, or sending messages. Skipping signature verification means any attacker who knows your webhook URL can send fake requests and manipulate your automations.

How it works

GoHighLevel includes the signature in a header, typically X-GHL-Signature or similar. Your server reads the header, takes the raw request body, and runs the Ed25519 verification function using GoHighLevel's published public key. If verification passes, you process the request. If it fails, you return a 401 or 403.

Most server-side languages have an Ed25519 library. In Node.js you can use the built-in crypto module. In Python you can use the PyNaCl or cryptography library. The verification is a few lines of code once you have the public key.

Frequently asked questions

What is an Ed25519 Signature in GoHighLevel?

It is a cryptographic signature GoHighLevel adds to outbound webhook requests. Your server verifies the signature to confirm the request is genuine and the payload was not tampered with.

Do I have to verify the Ed25519 signature?

You do not have to, but you should. Without verification, any attacker who discovers your webhook URL can send fake requests. Verification takes a few lines of code and prevents that risk.

Where do I find GoHighLevel's public key for verification?

GoHighLevel publishes the public key in its developer documentation. You fetch it once and store it in your server configuration.

Related terms

Outbound WebhookThe webhook type that carries the Ed25519 signature.Inbound WebhookReceive data from external systems into GoHighLevel.Private Integration TokenAuth token for direct API calls to GoHighLevel.Idempotency KeyPrevent duplicate processing of repeated webhook deliveries.