Securing Commerce API Webhooks
Every Coinbase Commerce webhook request includes an X-CC-Webhook-Signature header. This header contains the SHA256 HMAC signature of the raw request payload, computed using your webhook shared secret as the key.
You can obtain your shared webhook secret on Settings > Notifications.
Always verify the webhook signature before acting on it inside your system. All integrations on our public github page verify this already, but if you need to implement it yourself please take a look at our reference ruby implementation.
See Also: