Webhook Signature Verifier

Test and verify webhook signatures before implementing in production. Learn how to properly validate incoming webhooks from HooPay.

Verify Webhook Signature

Your Webhook Secret

X-Webhook-Timestamp (Unix timestamp)

X-Webhook-Signature (Received from HooPay)

Webhook Payload (JSON)

Implementation Examples

import hmac
import hashlib
import time

def verify_webhook(payload, signature, timestamp, secret):
    # Check timestamp is within 5 minutes
    if abs(time.time() - int(timestamp)) > 300:
        return False
    
    # Create signed payload
    signed_payload = f"{timestamp}.{payload}"
    
    # Compute expected signature
    expected = hmac.new(
        secret.encode('utf-8'),
        signed_payload.encode('utf-8'),
        hashlib.sha256
    ).hexdigest()
    
    # Constant-time comparison
    return hmac.compare_digest(signature, expected)

function verifyWebhook($payload, $signature, $timestamp, $secret) {
    // Check timestamp is within 5 minutes
    if (abs(time() - (int)$timestamp) > 300) {
        return false;
    }
    
    // Create signed payload
    $signedPayload = $timestamp . '.' . $payload;
    
    // Compute expected signature
    $expected = hash_hmac('sha256', $signedPayload, $secret);
    
    // Constant-time comparison
    return hash_equals($signature, $expected);
}

const crypto = require('crypto');

function verifyWebhook(payload, signature, timestamp, secret) {
    // Check timestamp is within 5 minutes
    const now = Math.floor(Date.now() / 1000);
    if (Math.abs(now - parseInt(timestamp)) > 300) {
        return false;
    }
    
    // Create signed payload
    const signedPayload = `${timestamp}.${payload}`;
    
    // Compute expected signature
    const expected = crypto
        .createHmac('sha256', secret)
        .update(signedPayload)
        .digest('hex');
    
    // Constant-time comparison
    return crypto.timingSafeEqual(
        Buffer.from(signature),
        Buffer.from(expected)
    );
}

Webhook Events

payment.completed Payment successful

payment.failed Payment failed

payment.cancelled Session cancelled

payment.completed Payment settled

collection.completed Collection processed

View all webhook events

Best Practices

Always verify signatures before processing webhooks
Respond with 2xx status within 5 seconds
Process webhooks asynchronously (queue them)
Store webhook_id to handle duplicates
Use constant-time comparison for signatures