Validating Incoming Webhooks
Verifying the HMAC signature
To verify the HMAC signature included in the webhook payload, follow these steps:
Retrieve the
PayNow-Signature
header from the webhook request, containing the HMAC of the entire payload body and the timestamp.Extract the Unix millisecond timestamp from the
PayNow-Timestamp
header.Create a string by combining the timestamp from the header, followed by a dot (".") and then the actual payload string from the webhook request. Then create an HMAC signature using the resulting string and your signing secret.
Compare the calculated signature with the signature provided in the
PayNow-Signature
header.
IP Addresses
PayNow sends webhooks from a set list of IP addresses. If your firewall requires whitelisting inbound requests, please add the following IP addresses to your allowlist:
34.203.112.123
54.208.125.169
54.86.24.96
Note: These IP addresses are subject to change. We recommend implementing signature verification as your primary security measure, and using IP whitelisting as an additional layer of security.
Last updated
Was this helpful?