Validate Webhook Authenticity
1. Configure a Webhook Endpoint
In your Bolt Merchant account:- In the left-side menu, go to Administration → Webhooks.
- Enter the URL of the endpoint on your server that will receive webhook requests.
2. Get Your Signing Secret
In your Bolt Merchant account:- In the left-side menu, go to Administration → API.
- Copy the Signing Secret. You will need it to validate requests.
3. Validate Incoming Webhooks
Each webhook request includes a signature in the X-Bolt-Hmac-Sha256 header. To verify the request:- Take the raw request body.
- Hash it with your Signing Secret using HMAC + SHA-256.
- Base64-encode the result.
- Compare it to the signature in the header. If they match, the webhook is valid.