HMAC
Prepare for webhook request signing with Hash-based Message Authentication Code (HMAC).
Overview
When HMAC signing is enabled, Open Loyalty attaches a cryptographic signature to every webhook request. Your receiving endpoint can use this signature to confirm the request genuinely came from Open Loyalty and has not been altered in transit.
Enabling HMAC on a Webhook
When creating a webhook, toggle on Enable HMAC signature in the webhook configuration form.
Adds signed headers to every webhook request (HMAC-SHA256).
The secret key is shown only once after saving.
Saving Your Secret Key
After saving the webhook, a modal will display your secret key.
Copy and store it securely before continuing — the key cannot be retrieved later.
If you lose it, you will need to rotate the key from the webhook settings.
Once you have saved the key, check I have saved this secret key to enable the Continue button and proceed.
Using the Secret Key
Your secret key is used on your server to verify that incoming webhook requests are authentic. Pass it to your verification logic and compare the computed signature against the one included in the request headers.
If a request fails signature verification, reject it. This prevents untrusted sources from sending data to your webhook endpoint.
Recommended Practices
Store the secret key in a secrets manager or environment variable — never hardcode it
Never log the secret key in plain text
Reject and log any requests that fail verification, for monitoring and troubleshooting
If you suspect the key has been compromised, rotate it immediately from the webhook settings
Last updated
Was this helpful?