Validate Webhook Authenticity

1. Configure a Webhook Endpoint

In your Bolt Merchant account:
  • In the left-side menu, go to AdministrationWebhooks.
  • Enter the URL of the endpoint on your server that will receive webhook requests.

2. Get Your Signing Secret

In your Bolt Merchant account:
  • In the left-side menu, go to AdministrationAPI.
  • Copy the Signing Secret. You will need it to validate requests.

3. Validate Incoming Webhooks

Each webhook request includes a signature in the X-Bolt-Hmac-Sha256 header. To verify the request:
  • Take the raw request body.
  • Hash it with your Signing Secret using HMAC + SHA-256.
  • Base64-encode the result.
  • Compare it to the signature in the header. If they match, the webhook is valid.
Node.jsPHP
const crypto = require('crypto');

// Replace with your actual signing secret
const BOLT_SIGNING_SECRET = 'your_signing_secret_here';

// This would typically come from the request headers
const hmacHeader = req.headers['X-Bolt-Hmac-Sha256'];

function verifyWebhook(payload, hmacHeader) {
  const computedHmac = crypto
    .createHmac('sha256', BOLT_SIGNING_SECRET)
    .update(payload, 'utf8')
    .digest('base64');

  return computedHmac === hmacHeader;
}
$hmac_header = $_SERVER['X-Bolt-Hmac-Sha256'];

function verify_webhook($payload, $hmac_header) {
  $computed_hmac = base64_encode(hash_hmac('sha256', $payload, BOLT_SIGNING_SECRET, true));
  return ($computed_hmac == $hmac_header);
}
See more information about Bolt Webhooks for additional information.