📍 Bolt Help / APIs, SDKs, & Webhooks / Webhook Setup / How to Verify Webhooks

How to Verify Webhooks

Learn how to verify webhooks sent by Bolt.

Bolt has launched a new Merchant Dashboard experience. See this page for help documentation that reflects the Legacy Dashboard.

All requests made by Bolt to your ecommerce Merchant Callback API will be signed to ensure the authenticity of our requests. Your implementation should always verify the signature to make sure that it’s always Bolt calling your endpoint.

Bolt signs the payload and includes the HMAC signature in the request header X-Bolt-Hmac-Sha256. There are two ways to verify the payload with this signature.

How to Verify a Webhook

1. Get Signing Secret

  1. Log in to your Bolt Merchant Dashboard.
  2. Navigate to Administration > API.
  3. Scroll to Signing Secret.

2. Use Secret for Verification

Bolt generates the signature by hashing the payload using the SHA-256 hashing algorithm. The signing secret is used as the salt in the hashing. The resulting value is then Base64 encoded to transmit as plain text. You can follow the same steps to generate and verify the signature.

$hmac_header = $_SERVER['X-Bolt-Hmac-Sha256'];

function verify_webhook($payload, $hmac_header) {
  $computed_hmac = base64_encode(hash_hmac('sha256', $payload, BOLT_SIGNING_SECRET, true));
  return ($computed_hmac == $hmac_header);
📖On This Page
Filter by Section
Filter by Topic