Getting Started
- Generate a webhook secret in your developer dashboard. (Developers > Api keys)
- Store this secret securely - you'll need it to verify incoming webhooks.
- Cashless will include this signature in the X-Webhook-Signature header of all webhook requests.
When you receive a webhook, you should:
- Get the signature from the
X-Webhook-Signatureheader. - Compare this value with your stored webhook secret.
- Only process the webhook if the signatures match.
Here's an example of verifying a webhook in Node.js:
app.post('/webhook', (req, res) => {
const signature = req.headers['x-webhook-signature'];
const webhookSecret = process.env.WEBHOOK_SECRET; // Your stored secret
if (signature !== webhookSecret) {
return res.status(401).send('Invalid signature');
}
// Process webhook...
});
- Always verify the signature of incoming webhooks
- Keep your webhook secret secure and never commit it to version control.
- Rotate your webhook secret periodically.
- Use HTTPS endpoints for receiving webhooks.
- Implement timeout handling for webhook processing.
Updated about 3 hours ago