blog.back_to_blog
Engineering blog.min_read

Understanding Webhook Security: HMAC Signatures Explained

Engineering Team · June 01, 2026

Webhooks are an essential part of any payment platform. They allow your application to receive real-time notifications when events occur — such as a payment completing or a refund being processed.

However, webhooks introduce a security challenge: how do you verify that a webhook request actually came from KmarApp and not from an attacker?

HMAC Signatures

KmarApp signs every webhook request using HMAC-SHA256. Each request includes a X-Signature header that contains the signature. You can verify this signature using your webhook secret.

function verifySignature($payload, $signature, $secret) {
    $expected = hash_hmac("sha256", $payload, $secret);
    return hash_equals($expected, $signature);
}

Best Practices

  • Always verify the HMAC signature before processing the webhook
  • Use constant-time comparison (hash_equals in PHP)
  • Store your webhook secret securely — never expose it in client-side code
  • Respond with 200 OK quickly and process asynchronously