Skip to main content
To ensure your application processes only legitimate requests from meCash, every webhook event is signed with a unique signature.
Verifying this signature is a critical security measure to protect your endpoint from malicious or accidental requests.

Step-by-Step Verification Guide

You can find your secret key for each webhook endpoint in the Developers → Webhooks section of your meCash dashboard.

Step 1: Extract the Signature

Get the value of the X-Signature header from the incoming request.
Note: HTTP headers are case-insensitive, so x-signature and X-Signature are treated the same.

Step 2: Prepare the Payload for Hashing

You must use the raw, unmodified JSON body of the request.
Do not parse and re-stringify the JSON — changes in whitespace or key order will alter the computed hash and cause verification to fail.

Step 3: Compute Your Expected Signature

Calculate an HMAC-512 hash of the raw request body (from Step 2) using your endpoint’s secret key.

Step 4: Compare the Signatures

Compare the signature you computed with the one from the X-Signature header.
If they match, the request is valid.
Security Best Practice: Use a timing-attack-safe comparison method instead of == or ===.
This prevents attackers from guessing valid signatures by measuring response times.
🛡️ Replay Attack Prevention: If your webhook request includes a timestamp (in headers or payload), validate that it’s within a short window (e.g., 5 minutes).
Reject older requests to prevent replayed webhooks from being processed.