Guides

Webhook Secrets

To ensure the security and authenticity of webhook deliveries, HoneyCoin signs all webhook requests. You can verify that requests came from HoneyCoin by checking the signature in the webhook request's headers.

Suggest Edits

Setting up Webhook Signatures

  1. Generate a webhook secret in your developer dashboard. (Developers > Api keys)
  2. Store this secret securely - you'll need it to verify incoming webhooks.
  3. HoneyCoin will include this signature in the X-Webhook-Signature header of all webhook requests.

Verifying Signatures

When you receive a webhook, you should:

  1. Get the signature from the X-Webhook-Signature header.
  2. Compare this value with your stored webhook secret.
  3. Only process the webhook if the signatures match.

Here's an example of verifying a webhook in Node.js:

app.post('/webhook', (req, res) => {
  const signature = req.headers['x-webhook-signature'];
  const webhookSecret = process.env.WEBHOOK_SECRET; // Your stored secret
  
  if (signature !== webhookSecret) {
    return res.status(401).send('Invalid signature');
  }
  
  // Process webhook...
});

Security Best Practices

  1. Always verify the signature of incoming webhooks
  2. Keep your webhook secret secure and never commit it to version control.
  3. Rotate your webhook secret periodically.
  4. Use HTTPS endpoints for receiving webhooks.
  5. Implement timeout handling for webhook processing.

Updated about 2 months ago