Verifying Webhooks
When receiving webhooks from Notch Pay, it’s crucial to verify that they actually come from Notch Pay and not from a malicious source. This guide will show you how to verify webhook signatures to ensure the authenticity of webhook notifications.Why Verify Webhooks?
Verifying webhooks is essential for security reasons:- It ensures that the webhook was sent by Notch Pay
- It prevents malicious actors from sending fake webhook events
- It confirms that the webhook payload hasn’t been tampered with
How Webhook Verification Works
Notch Pay signs each webhook with your hash key using HMAC SHA-256. When you receive a webhook:- Notch Pay includes a signature in the
x-notch-signature
header - You use your webhook hash to compute the expected signature
- You compare the expected signature with the received signature
- If they match, the webhook is authentic
Getting Your Webhook Hash
To verify webhooks, you need your webhook hash:- Log in to your Notch Pay Business suite
- Navigate to Settings > API Keys
- Find your webhook endpoint and note the “Hash Key”
Verifying Signatures in Different Languages
Node.js
PHP
Python
Best Practices for Webhook Verification
- Always Verify Signatures: Never skip signature verification, even in development
- Use Constant-Time Comparison: Use functions like
crypto.timingSafeEqual()
orhash_equals()
to prevent timing attacks - Keep Your Hash Secure: Store your webhook hash securely and never expose it in client-side code
- Validate the Payload: After verifying the signature, validate the payload structure
- Handle Errors Gracefully: Return appropriate error responses when verification fails
- Use the Correct API Key: Remember to use the hash key specifically for webhook verification, not your public or private API keys
Testing Webhook Verification
To test your webhook verification:- Set up your webhook endpoint with verification
- Use the “Test” feature in your Notch Pay dashboard
- Verify that valid webhooks are processed correctly
- Test with an invalid signature to ensure verification fails as expected
Troubleshooting Verification Issues
If you’re having trouble with webhook verification:- Check the Hash Key: Ensure you’re using the correct webhook hash, not your public or private API key
- Check the Environment: Make sure you’re using sandbox hash for test webhooks and production hash for live webhooks
- Check the Header Name: Make sure you’re reading the correct header (
x-notch-signature
) - Check for Whitespace: Ensure there’s no extra whitespace in your hash or payload
- Check the Payload Format: The payload should be the raw JSON string
- Check the Algorithm: Ensure you’re using HMAC SHA-256
- Verify API Key Type: Confirm you’re using the hash key specifically designed for webhook verification
Next Steps
- Webhook Overview - Learn how to set up webhook endpoints
- Webhooks API - Use the API to manage your webhook endpoints