Skip to main content

Commerce API Webhooks Security

Every Commerce webhook request includes an X-CC-WEBHOOK-SIGNATURE header. This header contains the SHA256 HMAC signature of the raw request payload, computed using your webhook shared secret as the key.

  1. Get your shared webhook secret under Settings > Notifications.

  2. Verify the webhook signature before acting on it inside your system.

Refer to the Coinbase Commerce Ruby reference implementation.

See Also:

Was this helpful?