Secure Webhooks
Verify webhook signatures to ensure authenticity
Secure Webhooks
Verify webhook signatures to ensure requests genuinely come from Plexy.
Why verify signatures?
Without verification, attackers could send fake webhook events to your endpoint. Signature verification ensures:
- The request came from Plexy
- The payload hasn't been tampered with
- The request is recent (not a replay attack)
Webhook signing secret
Each webhook endpoint has a unique signing secret. Find it in your Dashboard:
- Go to Developers > Webhooks
- Click your endpoint
- Copy the Signing Secret (starts with
whsec_)
Keep your signing secret secure. Never expose it in client-side code or version control.
Signature header
Plexy includes a signature in the Plexy-Signature header:
Plexy-Signature: t=1679529600,v1=abc123...| Part | Description |
|---|---|
t | Unix timestamp when signature was generated |
v1 | HMAC-SHA256 signature |
Verify signatures
Every inbound POST Plexy sends to your endpoint looks like this:
curl -X POST https://your-app.example.com/webhooks/plexy \
-H "Plexy-Signature: t=1679529600,v1=abc123..." \
-H "Content-Type: application/json" \
-d '{
"id": "evt_1234567890",
"type": "payment.succeeded",
"created": 1679529600,
"data": {
"id": "pay_abc123",
"amount": 5000,
"currency": "USD",
"status": "succeeded"
}
}'Verify the signature
Compute HMAC-SHA256(<raw request body>, <your webhook secret>), hex-encode the result, and compare against the v1= value in the Plexy-Signature header using a constant-time comparison. Reject the request if they differ. Also confirm the t= timestamp is within 5 minutes of the current time to guard against replay attacks.