Back to Changelog
January 10, 2025security

Enhanced Webhook Security with HMAC Signatures

All webhook notifications now include HMAC-SHA256 signatures for cryptographic verification.

We've upgraded our webhook system with HMAC-SHA256 signatures for enhanced security.

Security Improvements

  • Cryptographic signatures: Every webhook includes an X-Pulse2Pay-Signature header

  • Timestamp validation: Prevent replay attacks with X-Pulse2Pay-Timestamp verification
  • Retry logic: Automatic retries with exponential backoff (1s, 5s, 30s, 1min, 5min)

Signature Verification

Webhook signatures use a simplified format (different from API request signatures):

HMAC-SHA256(webhook_secret, timestamp.body)

Learn more in our webhook security guide.

#webhooks#security#hmac#signatures