Webhooks
Verifying Webhooks
Learn how to verify webhook signatures to ensure they come from Notch Pay
Verifying Webhooks
When receiving webhooks from Notch Pay, it’s crucial to verify that they actually come from Notch Pay and not from a malicious source. This guide will show you how to verify webhook signatures to ensure the authenticity of webhook notifications.
Why Verify Webhooks?
Verifying webhooks is essential for security reasons:
- It ensures that the webhook was sent by Notch Pay
- It prevents malicious actors from sending fake webhook events
- It confirms that the webhook payload hasn’t been tampered with
How Webhook Verification Works
Notch Pay signs each webhook with your hash key using HMAC SHA-256. When you receive a webhook:
- Notch Pay includes a signature in the
x-notch-signature
header - You use your webhook hash to compute the expected signature
- You compare the expected signature with the received signature
- If they match, the webhook is authentic
Getting Your Webhook Hash
To verify webhooks, you need your webhook hash:
- Log in to your Notch Pay Business suite
- Navigate to Settings > API Keys
- Find your webhook endpoint and note the “Hash Key”
Keep this hash secure and never expose it in client-side code. This hash is specifically designed for webhook signature verification.
Verifying Signatures in Different Languages
Node.js
PHP
Python
Best Practices for Webhook Verification
- Always Verify Signatures: Never skip signature verification, even in development
- Use Constant-Time Comparison: Use functions like
crypto.timingSafeEqual()
orhash_equals()
to prevent timing attacks - Keep Your Hash Secure: Store your webhook hash securely and never expose it in client-side code
- Validate the Payload: After verifying the signature, validate the payload structure
- Handle Errors Gracefully: Return appropriate error responses when verification fails
- Use the Correct API Key: Remember to use the hash key specifically for webhook verification, not your public or private API keys
Testing Webhook Verification
To test your webhook verification:
- Set up your webhook endpoint with verification
- Use the “Test” feature in your Notch Pay dashboard
- Verify that valid webhooks are processed correctly
- Test with an invalid signature to ensure verification fails as expected
Troubleshooting Verification Issues
If you’re having trouble with webhook verification:
- Check the Hash Key: Ensure you’re using the correct webhook hash, not your public or private API key
- Check the Environment: Make sure you’re using sandbox hash for test webhooks and production hash for live webhooks
- Check the Header Name: Make sure you’re reading the correct header (
x-notch-signature
) - Check for Whitespace: Ensure there’s no extra whitespace in your hash or payload
- Check the Payload Format: The payload should be the raw JSON string
- Check the Algorithm: Ensure you’re using HMAC SHA-256
- Verify API Key Type: Confirm you’re using the hash key specifically designed for webhook verification
Next Steps
- Webhook Overview - Learn how to set up webhook endpoints
- Webhooks API - Use the API to manage your webhook endpoints