To verify that a webhook was actually sent by Modern Treasury, every payload is signed with a signature that is passed through as the HTTP header.

Webhook Key

Please [contact support](🔗) if your webhook key is compromised or accidentally made public. We will rotate the key and coordinate the change with you.

## 1. Retrieve your webhook key

You can find your webhook key in your [Developer Settings](🔗).

## 2. Generate signature

The signature is hex encoded and can be replicated by applying HMAC-SHA-256 to the body of the webhook with your webhook key.

## 3. Confirm signature

Webhook signatures are sent in the `X-Signature` header. You can verify that Modern Treasury sent the event by comparing the signatures. If you feel your URL may be compromised, we recommend updating your Webhook URL. It is important not to parse the request body or manipulate the data before performing signature verification.