📍 Bolt Help / Developer Resources / Webhook Setup / How to Verify Webhooks
How to Verify Webhooks
Learn how to verify webhooks sent by Bolt.

New Dashboard Notice

Bolt has launched a new Merchant Dashboard experience. See this corresponding page for help documentation that reflects the Legacy Dashboard.

Please note that Legacy Dashboard documentation may no longer have up to date information on our newest features and releases.

All requests made by Bolt to your ecommerce Merchant Callback API will be signed to ensure the authenticity of our requests. Your implementation should always verify the signature to make sure that it’s always Bolt calling your endpoint.

Bolt signs the payload and includes the HMAC signature in the request header X-Bolt-Hmac-Sha256. There are two ways to verify the payload with this signature.

How to Verify a Webhook

Step 1: Get Signing Secret

  1. Log in to your Bolt Merchant Dashboard.
  2. Navigate to Administration > API.
  3. Scroll to Signing Secret.

Step 2: Use Secret for Verification

Bolt generates the signature by hashing the payload using the SHA-256 hashing algorithm. The signing secret is used as the salt in the hashing. The resulting value is then Base64 encoded to transmit as plain text. You can follow the same steps to generate and verify the signature.

$hmac_header = $_SERVER['X-Bolt-Hmac-Sha256'];

function verify_webhook($payload, $hmac_header) {
  $computed_hmac = base64_encode(hash_hmac('sha256', $payload, BOLT_SIGNING_SECRET, true));
  return ($computed_hmac == $hmac_header);
Filter by Section
Filter by Topic