Signature
Verify the HMAC signature before trusting any event field.
Required practices
- Use the raw body exactly as received.
- Compare with a constant-time function.
- Version the secret like any other operational credential.
- Log only
event_id,event_typeandrequest_id, never the secret.
Did this page unblock the next step?
Feedback stays inside the docs flow and should never include customer or card data.