Guides
Start typing to search…

Webhook Security

Webhook Security

Webhooks include a signature header that you can verify to ensure the request came from Reload:

X-Webhook-Signature: sha256=signature X-Webhook-Event: payment.success

Webhook Signature Verification

All webhooks include an HMAC-SHA256 signature in the X-Webhook-Signature header for security verification:

const crypto = require('crypto');

function verifyWebhookSignature(payload, signature, secret) {
  const expectedSignature = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');

  return signature === expectedSignature;
}

// In your webhook handler
app.post('/webhooks/reload', (req, res) => {
  const signature = req.headers['x-webhook-signature'];
  const payload = JSON.stringify(req.body);
  const secret = process.env.RELOAD_WEBHOOK_SECRET;

  if (!verifyWebhookSignature(payload, signature, secret)) {
    return res.status(401).json({ error: 'Invalid signature' });
  }

  // Process webhook event
  const { event, data } = req.body;
  // Handle the event...

  res.status(200).json({ success: true });
});

Updated 24 days ago