Security & HMAC

Learn about HMAC signature verification and security best practices for webhook integration.

HMAC Signature Verification

HMAC (Hash-based Message Authentication Code) ensures that webhooks are authentic and haven't been tampered with. Every webhook request includes a signature that we verify using your secret key.

How it works:
1. Your store creates a signature using HMAC-SHA256 and your secret key
2. The signature is sent in the webhook header (e.g., X-Signature)
3. Our system recalculates the signature using the same secret
4. If signatures match, the webhook is processed
5. If they don't match, the request is rejected

Security Best Practices

Strong Secrets: Use long, random HMAC secrets
HTTPS Only: Always use secure connections
Secret Rotation: Regularly update your secrets
IP Whitelisting: Restrict webhook sources
Rate Limiting: Prevent abuse and spam
Logging: Monitor webhook activity

Supported Algorithms

SHA-1

Fast, legacy support

SHA-256

Recommended, secure

SHA-512

Maximum security

Security Warning: Never share your HMAC secret publicly or commit it to version control. Use environment variables or secure secret management systems.

PreviousCustom Conditions NextTesting

Last updated 1 month ago