How To Validate Webhooks

You can effortlessly verify webhooks received from the platform by following these steps:

Signature Inclusion: Every sent webhook includes a signature in the headers. This signature is the encrypted webhook data using the merchant's (i.e Distributor) private secret API key.

Your secret API Key is located at Settings > Api Key & Web hooks.

It is usually annotated with "MCASECK".

Validation on Merchant's End: Merchants can follow the same encryption steps using their secret API key. Then, they can compare the created signature with the one they received. If the signatures are the same, it's safe to go ahead and use the webhook information. However, if the signatures don't match, they should ignore the webhook and not use the information it carries.

const crypto = require("crypto");

const secretKey = 'MCASECK|49939d32-f649-4de4-ab35-51060ca292f9';

const signature = crypto
  .createHmac("sha512", secretKey)

if (req.headers['x-mycoverai-signature'] === signature) {
      const event = req.body;
      // Do something with event - that will not take long
      // Return Ok

Last updated