# Validating Incoming Webhooks ## Verifying the HMAC signature To verify the HMAC signature included in the webhook payload, follow these steps: 1. Retrieve the `PayNow-Signature` header from the webhook request, containing the HMAC of the entire payload body and the timestamp. 2. Extract the Unix millisecond timestamp from the `PayNow-Timestamp` header. 3. Create a string by combining the timestamp from the header, followed by a dot (".") and then the actual payload string from the webhook request. Then create an HMAC signature using the resulting string and your signing secret. 4. Compare the calculated signature with the signature provided in the `PayNow-Signature` header. {% hint style="info" %} When comparing HMAC signatures, avoid using simple string comparison methods, as they may be susceptible to timing attacks. Instead, use constant-time comparison techniques to compare the calculated signature with the provided signature, ensuring that the comparison takes the same amount of time regardless of the comparison result. {% endhint %} ## IP Addresses PayNow sends webhooks from a set list of IP addresses. If your firewall requires whitelisting inbound requests, please add the following IP addresses to your allowlist: * `34.203.112.123` * `54.208.125.169` * `54.86.24.96` **Note:** These IP addresses are subject to change. We recommend implementing signature verification as your primary security measure, and using IP whitelisting as an additional layer of security. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.paynow.gg/webhooks/validating-incoming-webhooks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.