Learn how to verify webhook signatures to ensure they come from Notch Pay
x-notch-signature
const crypto = require('crypto'); function verifyWebhookSignature(payload, signature, hash) { const hmac = crypto.createHmac('sha256', hash); const expectedSignature = hmac.update(payload).digest('hex'); return crypto.timingSafeEqual( Buffer.from(signature), Buffer.from(expectedSignature) ); } app.post('/webhooks/notchpay', (req, res) => { const payload = JSON.stringify(req.body); const signature = req.headers['x-notch-signature']; const hash = 'your_webhook_hash'; // Use test_hash for sandbox, live_hash for production if (!verifyWebhookSignature(payload, signature, hash)) { return res.status(403).send('Invalid signature'); } // Process the webhook // ... });
<?php function verifyWebhookSignature($payload, $signature, $hash) { $expectedSignature = hash_hmac('sha256', $payload, $hash); return hash_equals($expectedSignature, $signature); } $payload = file_get_contents('php:/input'); $signature = $_SERVER['HTTP_X_NOTCH_SIGNATURE']; $hash = 'your_webhook_hash'; // Use test_hash for sandbox, live_hash for production if (!verifyWebhookSignature($payload, $signature, $hash)) { http_response_code(403); echo json_encode(['error' => 'Invalid signature']); exit; } // Process the webhook // ...
import hmac import hashlib def verify_webhook_signature(payload, signature, hash_key): expected_signature = hmac.new( hash_key.encode('utf-8'), payload.encode('utf-8'), hashlib.sha256 ).hexdigest() return hmac.compare_digest(expected_signature, signature) @app.route('/webhooks/notchpay', methods=['POST']) def webhook(): payload = request.data.decode('utf-8') signature = request.headers.get('x-notch-signature') hash_key = 'your_webhook_hash' # Use test_hash for sandbox, live_hash for production if not verify_webhook_signature(payload, signature, hash_key): return jsonify({'error': 'Invalid signature'}), 403 # Process the webhook # ...
crypto.timingSafeEqual()
hash_equals()
Was this page helpful?