Skip to main content

Secure the webhook

Allow external services to be notified when certain events happen.


By entering a secret key into the Secret input, every delivery will automatically include a hash signature. The hash signature will appear in each delivery as the value of the X-Signature header.

The hash signature is generated using your webhook's secret token and the payload contents. You can use your programming language of choice to implement HMAC verification in your code. Following are some examples showing how an implementation might look in various programming languages.

PHP Example

For example, you can define the following verifySignature function:

function verifySignature(string $payloadContents, string $receivedSignature) {
$secretKey = getenv('SECRET_KEY');

$signature = hash_hmac('sha256', $payloadContents, $secretKey);

if (!hash_equals($signature, $receivedSignature)) {
echo "Could not verify the request signature.";

Then you can call it when you receive a webhook payload:

$payloadContents = file_get_contents('php://input');

// And we're getting the signature from an HTTP header named 'X-Signature'
$receivedSignature = isset($_SERVER['HTTP_X_SIGNATURE']) ? $_SERVER['HTTP_X_SIGNATURE'] : '';

// Now, call the function with the payload and the received signature
verifySignature($payloadContents, $receivedSignature);

// If the function doesn't exit, the signature is verified
echo "Signature verified successfully.";


Always secure your webhooks using the secret key to maintain data integrity and security.