Skip to main content

Signature

Verify the HMAC signature before trusting any event field.

Required practices

  • Use the raw body exactly as received.
  • Compare with a constant-time function.
  • Version the secret like any other operational credential.
  • Log only event_id, event_type and request_id, never the secret.

Did this page unblock the next step?

Feedback stays inside the docs flow and should never include customer or card data.