PayMongo HomeGuidesAPI ReferenceDiscussions
Guides

Securing a webhook

How do I secure my webhook?

Suggest Edits

Exposing an API endpoint on your server may pose a security risk if unsecured. Websites other than PayMongo may try to access these endpoints to get information, modify your data or overload your servers. To prevent this, we add a Paymongo-Signature HTTP header to the data that we send to your webhook. This header can be used to verify that the request came from PayMongo. Below is a sample Paymongo-Signature header. 

t=1496734173,te=1447a89e7ecebeda32sffs62cdca3fa51cad7e77a0e56ff536d0ce8e108d8bd,li=3f7bs59d200aae63f272406069a9788598b792a944a07aba816edb039989a39

The Paymongo-Signature is made of three parts separated by comma ,:

  1. t is the timestamp of the request.
  2. te is the test mode signature.
  3. li is the live mode signature.

li vs te

The next step is to generate a signature with the help of the webhook's secret key and compare this to the signature. You must compare the signature that you will generate against the li's value if the event is in live mode or te if in test mode.

1. Split Paymongo-Signature

The Paymongo-Signature can be split into three parts: t, te and li. The signature uses , to separate the timestamp and the signatures for live and test modes.

2. Concatenate the following to create your own signature:

a. The timestamp as a string, e.g. 1496734173

b. A . character

c. The JSON payload of the request you received. NOTE: You must get the raw payload of the request. Check your programming language or frameworks on how to get the raw payload of an API request.

3. Run the Concatenated Values Through HMAC with SHA256

Use the HMAC with SHA256 hash function with the webhook’s secret key as the cryptographic key. The webhook’s signing secret key is returned in the HTTP response when the webhook was created.


4. Compare Signatures

Compare your own signature against the signature from the li for live mode while te for test mode. If they do not match, discard the request. This means the sender is not PayMongo.

For additional security, you may also compare the timestamp from the header and the current timestamp. If the difference is too large, it may mean that the request is old and may have been reused. This is an optional step.

🚧

Deleting webhooks

You cannot delete webhooks if you don't want to use them anymore. Instead, you can disable them to avoid receiving events for a certain webhook. You can check this section for more information.

Updated 9 months ago