Validating Incoming Webhooks

Verifying the HMAC signature

To verify the HMAC signature included in the webhook payload, follow these steps:

  1. Retrieve the PayNow-Signature header from the webhook request, containing the HMAC of the entire payload body and the timestamp.

  2. Extract the Unix millisecond timestamp from the PayNow-Timestamp header.

  3. Create a string by combining the timestamp from the header, followed by a dot (".") and then the actual payload string from the webhook request. Then create an HMAC signature using the resulting string and your signing secret.

  4. Compare the calculated signature with the signature provided in the PayNow-Signature header.

When comparing HMAC signatures, avoid using simple string comparison methods, as they may be susceptible to timing attacks. Instead, use constant-time comparison techniques to compare the calculated signature with the provided signature, ensuring that the comparison takes the same amount of time regardless of the comparison result.

IP Addresses

PayNow sends webhooks from a set list of IP addresses. If your firewall requires whitelisting inbound requests, please add the following IP addresses to your allowlist:

  • 34.203.112.123

  • 54.208.125.169

  • 54.86.24.96

Note: These IP addresses are subject to change. We recommend implementing signature verification as your primary security measure, and using IP whitelisting as an additional layer of security.

Last updated

Was this helpful?