All requests made by Bolt to your ecommerce Merchant Callback API will be signed to ensure the authenticity of our requests. Your implementation should always verify the signature to make sure that it’s always Bolt calling your endpoint.

Bolt signs the payload and includes the HMAC signature in the request header X-Bolt-Hmac-Sha256. There are two ways to verify the payload with this signature.

How to Verify a Webhook

Step 1: Get Signing Secret

1. Log in to your Bolt Merchant Dashboard.
2. Navigate to Administration > API.
3. Scroll to Signing Secret.

Step 2: Use Secret for Verification

Bolt generates the signature by hashing the payload using the SHA-256 hashing algorithm. The signing secret is used as the salt in the hashing. The resulting value is then Base64 encoded to transmit as plain text. You can follow the same steps to generate and verify the signature.

$hmac_header = $_SERVER['X-Bolt-Hmac-Sha256'];

function verify_webhook($payload, $hmac_header) {
  $computed_hmac = base64_encode(hash_hmac('sha256', $payload, BOLT_SIGNING_SECRET, true));
  return ($computed_hmac == $hmac_header);
}