Paybeta webhooks include a cryptographic signature in the Signature header to ensure the webhook originated from Paybeta and hasn't been tampered with.Signature Generation#
The value passed inside the Signature header is calculated using a Hash-based Message Authentication Code (HMAC) with a SHA-256 hashing algorithm.Key: Your API Secret Key (keep this hidden on your backend server environment).
Data: The reference value located inside the transaction data block (data.reference).
How to Verify the Signature#
Capture the incoming raw JSON payload and extract the data.reference string.
Read the value present inside the Signature request header.
Compute an HMAC-SHA256 hash using the transaction reference as the data string and your merchant secret key as the signing key.
Compare your locally computed string with the header value using a constant-time string comparison method to safeguard against timing analysis side-channel attacks.
Modified at 2026-05-17 16:55:27
