Commerce API Webhooks Security
Every Commerce webhook request includes an X-CC-WEBHOOK-SIGNATURE header. This header contains the SHA256 HMAC signature of the raw request payload, computed using your webhook shared secret as the key.
-
Get your shared webhook secret under Settings > Notifications.
-
Verify the webhook signature before acting on it inside your system.
Refer to the Coinbase Commerce Ruby reference implementation.
See Also: