Webhook Signature

All webhooks sent from Coinify are signed with a shared secret that is known only by you and Coinify. This ensures the integrity of the data contained in the webhook and also proves that Coinify is the sender of the webhook.

Specifically, the signature uses HMAC-SHA256, using the shared secret as the key and the full HTTP request body (UTF-8 encoded) as the message. The resulting signature is provided in lowercase hexadecimal format in the x-coinify-webhook-signature HTTP header.

For example, the header for the payload {"examplePayload":true} encrypted with the shared key my-shared-secret, looks like:

x-coinify-webhook-signature: bcdbb89e3031905f3cc1a20d16b5f969a17a7d8fa0c26e4a807c2193402d66f4

❗️

Important

Never consume the payload before validating the signature.
Use the recipe below for step-by-step instructions.