Verifying webhooks

To verify that a webhook was actually sent by Modern Treasury, every payload is signed with a signature that is passed through as the HTTP header.


Webhook Key

Please contact support if your webhook key is accidentally made public. We will rotate the key and coordinate the change with you.

1. Retrieve your webhook key

You can find your webhook key in your Developer Settings.

2. Generate signature

The signature is hex encoded and can be replicated by applying HMAC-SHA-256 to the body of the webhook with your webhook key.

echo -n "{...}" | openssl dgst -sha256 -hmac "WEBHOOK_KEY"

3. Confirm signature

Webhook signatures are sent in the X-Signature header. You can verify that Modern Treasury sent the event by comparing the signatures. If you feel your URL may be compromised, we recommend updating your Webhook URL.