📍
Bolt Help / Developer Resources / Webhook Setup / How to Verify Webhooks
Learn how to verify webhooks sent by Bolt.
All requests made by Bolt to your ecommerce Merchant Callback API will be signed to ensure the authenticity of our requests. Your implementation should always verify the signature to make sure that it’s always Bolt calling your endpoint.
Bolt signs the payload and includes the HMAC signature in the request header X-Bolt-Hmac-Sha256. There are two ways to verify the payload with this signature.
How to Verify a Webhook
Step 1: Get Signing Secret
- Log in to your Bolt Merchant Dashboard.
- Navigate to Developer > API.
- Scroll to Keys.
Step 2: Use Secret for Verification
Bolt generates the signature by hashing the payload using the SHA-256 hashing algorithm. The signing secret is used as the salt in the hashing. The resulting value is then Base64 encoded to transmit as plain text. You can follow the same steps to generate and verify the signature.
$hmac_header = $_SERVER['X-Bolt-Hmac-Sha256'];
function verify_webhook($payload, $hmac_header) {
$computed_hmac = base64_encode(hash_hmac('sha256', $payload, BOLT_SIGNING_SECRET, true));
return ($computed_hmac == $hmac_header);
}