For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Apply for AccessDashboard
Guides
Guides
  • Get Started
    • Introduction
    • Quickstart
  • Agent Identity
    • Overview
    • Create Auth Intent
    • Exchange for JWT
    • Sessions
    • JWKS
  • Agent Checkout
    • Overview
    • Create an Invoice
    • List Invoices
    • Get Invoice
    • Cancel Invoice
  • Integration Patterns
    • Overview
    • Shared SDK Client
    • Wallet Auth
    • JWT Verification
    • Subscription Checkout
    • Webhook Verification
  • Concepts
    • Two Invoice IDs
    • Wallet Identity
    • Session vs Token
    • Webhook-Driven State
  • Webhooks
    • Overview
    • Verify Signatures
  • Reliability
    • Errors
    • SDK Reference
Apply for AccessDashboard
On this page
  • Using the SDK
  • Signature format
  • Manual verification
  • Key points
  • Next step
Webhooks

Verify Webhooks

Verify webhook signatures with HMAC-SHA256

||View as Markdown|
Was this page helpful?
Edit this page
Previous

Webhooks

Next

Errors

Built with

Using the SDK

The SDK’s validateWebhook() verifies the HMAC signature, checks timestamp freshness, and returns a typed event object:

1import { Gwop } from "@gwop/sdk";
2
3const gwop = new Gwop({
4  merchantApiKey: process.env.GWOP_MERCHANT_API_KEY!,
5  webhookSecret: process.env.GWOP_WEBHOOK_SECRET!, // whsec_*
6});
7
8// Express / Node.js handler
9app.post(
10  "/webhooks/gwop",
11  express.raw({ type: "application/json" }),
12  async (req, res) => {
13    try {
14      const event = await gwop.validateWebhook({
15        request: {
16          body: req.body.toString(),
17          headers: {
18            "x-gwop-signature": req.headers["x-gwop-signature"] as string,
19            "x-gwop-event-id": req.headers["x-gwop-event-id"] as string,
20            "x-gwop-event-type": req.headers["x-gwop-event-type"] as string,
21            "content-type": "application/json",
22          },
23          url: `https://${req.headers.host}${req.originalUrl}`,
24          method: "POST",
25        },
26      });
27
28      switch (event.body.eventType) {
29        case "invoice.paid":
30          console.log("Paid:", event.body.data.publicInvoiceId);
31          console.log("Chain:", event.body.data.paymentChain);
32          console.log("Tx:", event.body.data.txHash);
33          break;
34        case "invoice.expired":
35          console.log("Expired:", event.body.data.publicInvoiceId);
36          break;
37        case "invoice.canceled":
38          console.log("Canceled:", event.body.data.publicInvoiceId);
39          break;
40      }
41
42      res.sendStatus(200);
43    } catch (err) {
44      console.error("Webhook verification failed:", err);
45      res.sendStatus(401);
46    }
47  },
48);

The SDK uses the Web Crypto API internally, so validateWebhook() works in Node.js, Deno, Bun, and edge runtimes.

Signature format

Every webhook includes an X-Gwop-Signature header:

t=1711324111,v1=5257a869e7ecebeda32affa62cdca3fa51cad7e77a0e56ff536d0ce8e108d8bd
  • t — Unix timestamp when the webhook was sent
  • v1 — HMAC-SHA256 of {timestamp}.{raw_body} using your webhook secret

Manual verification

If you’re not using the SDK, verify signatures manually:

1import { createHmac, timingSafeEqual } from "node:crypto";
2
3function verifyWebhook(
4  rawBody: string,
5  signatureHeader: string,
6  secret: string,
7  toleranceSeconds = 300,
8): { timestamp: number; body: any } {
9  // Parse signature header
10  const parts = Object.fromEntries(
11    signatureHeader.split(",").map((p) => {
12      const [k, ...v] = p.split("=");
13      return [k, v.join("=")];
14    }),
15  );
16
17  const timestamp = parseInt(parts.t!, 10);
18  const receivedMac = parts.v1!;
19
20  // Reject stale webhooks (replay protection)
21  const now = Math.floor(Date.now() / 1000);
22  if (Math.abs(now - timestamp) > toleranceSeconds) {
23    throw new Error("Webhook timestamp outside tolerance");
24  }
25
26  // Compute expected HMAC
27  const expectedMac = createHmac("sha256", secret)
28    .update(`${timestamp}.${rawBody}`)
29    .digest("hex");
30
31  // Timing-safe comparison
32  const a = Buffer.from(receivedMac, "hex");
33  const b = Buffer.from(expectedMac, "hex");
34  if (a.length !== b.length || !timingSafeEqual(a, b)) {
35    throw new Error("Webhook signature verification failed");
36  }
37
38  return { timestamp, body: JSON.parse(rawBody) };
39}

Key points

  • Timing-safe comparison — Always use timingSafeEqual (or the SDK), never === for HMAC comparison
  • Timestamp tolerance — Reject webhooks older than 5 minutes (300 seconds) to prevent replay attacks
  • Deduplicate by X-Gwop-Event-Id — The same event may be delivered multiple times; store processed event IDs
  • Return 200 quickly — Process asynchronously if needed; Gwop retries on non-2xx responses

You must use the raw body (req.body.toString() or express.raw()) for HMAC verification. If you parse the body as JSON first and re-stringify it, the signature won’t match due to whitespace or key ordering differences.

Next step

Webhook-Driven State

See how verified webhook events should drive durable local state transitions

Integration Patterns

See the backend pattern for preserving raw request bytes and handling events