To provide an additional security and to ensure that your application is safe from incoming request, We include a signature in each webhook request. It includes a base64-encoded X-HelixPay-Signature which is generated using API secret key along with the data sent.
Sample PHP Verification
To verify the signature, create the same SHA-256 HMAC signature and then compare it to payload.
$computedHmac = base64_encode(hash_hmac('sha256', $_SERVER['HTTP_X_HELIXPAY_TIMESTAMP'], API_SECRET_KEY));
if (hash_equals($_SERVER['HTTP_X_HELIXPAY_SIGNATURE'], $computedHmac)) {
// Do something here
}
const crypto = require('crypto');
const computedHmac = Buffer.from(
crypto.createHmac('sha256', API_SECRET_KEY).update(HELIXPAY_TIMESTAMP).digest('hex')
).toString('base64');
if (computedHmac === HELIXPAY_SIGNATURE) {
// Do something here
}