Webhook Secrets

Overview

To ensure security and authenticity, Cashless signs all webhook requests. Verify that requests came from Cashless by checking the signature in the webhook headers.

Setting up Webhook Signatures

1. Generate a webhook secret in your developer dashboard. (Developers > API Keys)
2. Store this secret securely — you'll need it to verify incoming webhooks.
3. Cashless will include this signature in the X-Webhook-Signature header of all webhook requests.

Verifying Signatures

When you receive a webhook:

1. Get the signature from the X-Webhook-Signature header.
2. Compare this value with your stored webhook secret.
3. Only process the webhook if the signatures match.

Example in Node.js:

app.post('/webhook', (req, res) => {
  const signature = req.headers['x-webhook-signature'];
  const webhookSecret = process.env.WEBHOOK_SECRET; // Your stored secret

  if (signature !== webhookSecret) {
    return res.status(401).send('Invalid signature');
  }

  // Process webhook...
});

Security Best Practices

• Always verify the signature of incoming webhooks.
• Keep your webhook secret secure and never commit it to version control.
• Rotate your webhook secret periodically.
• Use HTTPS endpoints for receiving webhooks.
• Implement timeout handling for webhook processing.