Every Commerce webhook request includes an
X-CC-WEBHOOK-SIGNATURE header. This header contains the SHA256 HMAC signature of the raw request payload, computed using your webhook shared secret as the key.
Get your shared webhook secret under Settings > Notifications.
Verify the webhook signature before acting on it inside your system.
Refer to the Coinbase Commerce Ruby reference implementation.
Was this helpful?