Engineering
blog.min_read
Understanding Webhook Security: HMAC Signatures Explained
Engineering Team
·
June 01, 2026
Webhooks are an essential part of any payment platform. They allow your application to receive real-time notifications when events occur — such as a payment completing or a refund being processed.
However, webhooks introduce a security challenge: how do you verify that a webhook request actually came from KmarApp and not from an attacker?
HMAC Signatures
KmarApp signs every webhook request using HMAC-SHA256. Each request includes a X-Signature header that contains the signature. You can verify this signature using your webhook secret.
function verifySignature($payload, $signature, $secret) {
$expected = hash_hmac("sha256", $payload, $secret);
return hash_equals($expected, $signature);
}
Best Practices
- Always verify the HMAC signature before processing the webhook
- Use constant-time comparison (
hash_equalsin PHP) - Store your webhook secret securely — never expose it in client-side code
- Respond with 200 OK quickly and process asynchronously