Validating Webhook Signatures
To ensure your application processes only legitimate requests from meCash, every webhook event is signed with a unique signature.
Verifying this signature is a critical security measure to protect your endpoint from malicious or accidental requests.
Step-by-Step Verification Guide
You can find your secret key for each webhook endpoint in the Developers β Webhooks section of your meCash dashboard.
Step 1: Extract the Signature
Get the value of the X-Signature header from the incoming request.
Note: HTTP headers are case-insensitive, so
x-signatureandX-Signatureare treated the same.
Step 2: Prepare the Payload for Hashing
You must use the raw, unmodified JSON body of the request.
Do not parse and re-stringify the JSON β changes in whitespace or key order will alter the computed hash and cause verification to fail.
Step 3: Compute Your Expected Signature
Calculate an HMAC-512 hash of the raw request body (from Step 2) using your endpoint's secret key.
Step 4: Compare the Signatures
Compare the signature you computed with the one from the X-Signature header.
If they match, the request is valid.
Security Best Practice: Use a timing-attack-safe comparison method instead of == or ===.
This prevents attackers from guessing valid signatures by measuring response times.
Replay Attack Prevention: If your webhook request includes a timestamp (in headers or payload), validate that itβs within a short window (e.g., 5 minutes).
Reject older requests to prevent replayed webhooks from being processed.