Webhook Security

Webhook event signature verification and secure handling guide

What is Webhook Signature Verification?

Webhook signature verification is a security mechanism that ensures the webhook events you receive are genuinely from PaymentGate, not from malicious attackers attempting to forge requests. Each webhook request includes an encrypted signature generated using a shared secret key.

⚠️ Why is Signature Verification Important?

• Prevents malicious attackers from forging webhook events
• Ensures event data integrity
• Avoids replay attacks and man-in-the-middle attacks
• Meets security compliance requirements

Webhook Workflow

Event Occurs

Payment status changes

Generate Signature

Encrypt with secret key

Send Request

POST to your endpoint

Verify Signature

Confirm event authenticity

Signature Format

PaymentGate includes the signature in the HTTP header of each webhook request:

PaymentGate-Signature: t=1618840000,v1=5257a869e7ecebeda32affa62cdca3fa51cad7e77a0e56ff536d0ce8e108d8bd

t = Timestamp (Unix time)

v1 = HMAC-SHA256 signature

Table of Contents