Webhook Verification

Secure your webhook endpoints with HMAC signatures.

Trust but Verify

To ensure that a webhook was actually sent by KiPay, you must verify the X-KiPay-Signature header sent with every request.

Verification Logic

The signature is an HMAC-SHA256 hash of the raw request body, using your Webhook Secret as the key.

const crypto = require("crypto");
const secret = process.env.KIPAY_WEBHOOK_SECRET;
const signature = req.headers["x-kipay-signature"];
const expected = "sha256=" + crypto.createHmac("sha256", secret).update(rawBody).digest("hex");
if (signature !== expected) throw new Error("Invalid signature");

PesaLink Webhook Events