# HMAC

### Overview

When HMAC signing is enabled, Open Loyalty attaches a cryptographic signature to every webhook request. Your receiving endpoint can use this signature to confirm the request genuinely came from Open Loyalty and has not been altered in transit.

***

### Enabling HMAC on a Webhook

When creating a webhook, toggle on **Enable HMAC signature** in the webhook configuration form.

{% hint style="warning" %}
Adds signed headers to every webhook request (HMAC-SHA256).&#x20;

The secret key is **shown only once** after saving.
{% endhint %}

<figure><img src="/files/EaTB8l6RRMTd0ywTU7a2" alt=""><figcaption></figcaption></figure>

***

### Saving Your Secret Key

After saving the webhook, a modal will display your secret key.

* Copy and store it securely before continuing — the key **cannot be retrieved later**.
* If you lose it, you will need to rotate the key from the webhook settings.

Once you have saved the key, check **I have saved this secret key** to enable the Continue button and proceed.

<figure><img src="/files/mPbzWNZWC9xwxLR8eOrT" alt=""><figcaption></figcaption></figure>

***

### Using the Secret Key

Your secret key is used on your server to verify that incoming webhook requests are authentic. Pass it to your verification logic and compare the computed signature against the one included in the request headers.

{% hint style="info" %}
If a request fails signature verification, reject it. This prevents untrusted sources from sending data to your webhook endpoint.
{% endhint %}

***

### Verifying the Signature

Each webhook delivery includes a set of signature headers. Your endpoint should use these to authenticate every request before processing it.

{% hint style="warning" %}
If a request fails signature verification, reject it immediately. \
This prevents untrusted sources from injecting data into your webhook endpoint.&#x20;
{% endhint %}

To find out more, please refer to the article below:

{% content-ref url="/pages/6v2xgV87zzoJ86sRDHLl" %}
[Verifying the Signature](/main-features/webhooks/hmac/verifying-the-signature.md)
{% endcontent-ref %}

***

### Recommended Practices

* Store the secret key in a secrets manager or environment variable — never hardcode it
* Never log the secret key in plain text
* Reject and log any requests that fail verification, for monitoring and troubleshooting
* If you suspect the key has been compromised, rotate it immediately from the webhook settings


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.openloyalty.io/main-features/webhooks/hmac.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.