Verifying webhooks
To verify that a webhook was actually sent by Modern Treasury, every payload is signed with a signature that is passed through as the HTTP header.
Webhook Key
Please contact support if your webhook key is accidentally made public. We will rotate the key and coordinate the change with you.
1. Retrieve your webhook key
You can find your webhook key in your Developer Settings.
2. Generate signature
The signature is hex encoded and can be replicated by applying HMAC-SHA-256 to the body of the webhook with your webhook key.
echo -n "{...}" | openssl dgst -sha256 -hmac "WEBHOOK_KEY"
3. Confirm signature
Webhook signatures are sent in the X-Signature
header. You can verify that Modern Treasury sent the event by comparing the signatures. If you feel your URL may be compromised, we recommend updating your Webhook URL.
Updated 7 months ago