Security

Learn how to secure your webhook endpoints and validate webhook signatures

Signature Verification

Every webhook request includes a X-Zellify-Signature header containing a HMAC SHA-256 hash of the request body. Here's how to verify it:

import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string,
  signature: string,
  secret: string
): boolean {
  const hmac = crypto.createHmac('sha256', secret);
  const computedSignature = hmac.update(payload).digest('hex');
  
  return crypto.timingSafeEqual(
    Buffer.from(computedSignature, 'hex'),
    Buffer.from(signature, 'hex')
  );
}

// In your webhook handler
app.post('/webhooks', (req, res) => {
  const signature = req.headers['x-zellify-signature'];
  const isValid = verifyWebhookSignature(
    JSON.stringify(req.body),
    signature,
    process.env.WEBHOOK_SECRET
  );

  if (!isValid) {
    return res.status(401).json({ error: 'Invalid signature' });
  }
  // Process the webhook...
});

import hmac
import hashlib

def verify_webhook_signature(payload: str, signature: str, secret: str) -> bool:
    computed = hmac.new(
        secret.encode('utf-8'),
        payload.encode('utf-8'),
        hashlib.sha256
    ).hexdigest()
    
    return hmac.compare_digest(computed, signature)

# In your webhook handler
@app.route('/webhooks', methods=['POST'])
def handle_webhook():
    signature = request.headers.get('X-Zellify-Signature')
    is_valid = verify_webhook_signature(
        request.get_data().decode('utf-8'),
        signature,
        os.environ.get('WEBHOOK_SECRET')
    )
    
    if not is_valid:
        return jsonify({'error': 'Invalid signature'}), 401
    # Process the webhook...

function verifyWebhookSignature($payload, $signature, $secret) {
    $computed = hash_hmac('sha256', $payload, $secret);
    return hash_equals($computed, $signature);
}

// In your webhook handler
$payload = file_get_contents('php://input');
$signature = $_SERVER['HTTP_X_ZELLIFY_SIGNATURE'];

if (!verifyWebhookSignature($payload, $signature, getenv('WEBHOOK_SECRET'))) {
    http_response_code(401);
    echo json_encode(['error' => 'Invalid signature']);
    exit;
}
// Process the webhook...

Always validate webhook signatures before processing any webhook data. This prevents unauthorized access and ensures the authenticity of events.

PreviousPayment Events NextImplementation

Last updated 13 days ago