Verifying Webhooks
The webhook verification process ensures the authenticity and integrity of incoming webhook requests. By verifying the webhook signature, the process confirms that the request originates from Zoho Payments and has not been tampered with during transmission. This provides a secure mechanism to safeguard sensitive data and prevent unauthorised or malicious interactions with the receiving system.
To verify your webhooks, follow the below steps:
- Retrieve the signing key used for verification.
- Extract the current time in milliseconds from the X-ZohoWebhook-Signature header.
**Sample header :** t=1734340423138,v=48f9cb56a1beca6c92ff64e0d0954170fc474d9 71af07a8ecfcbb9502414241c - Combine the timestamp (t) and the JSON response using a dot (.) to prepare the data. Example: 1734340423138.{ “status”: “success” }
- Use the signing key generated during webhook configuration and the prepared data to create a HMAC-SHA256 hashed signature.
- Compare the calculated signature with the one provided in the X-ZohoWebhook-Signature header (v).
- Verify the signatures to confirm that the request is valid.
Your endpoint must promptly return a successful status code (2xx) within 15 seconds before executing any complex logic that might lead to a timeout error.
