Webhook Signatures
For security purposes, all webhook payloads are signed with HMAC-SHA256. This allows you to verify that the webhooks are actually coming from Melio and have not been tampered with.
Signature Verification
Each webhook request includes a X-Melio-Signature header that contains the HMAC signature. To verify this signature:
- Get the webhook payload as a raw string
- Use your API secret key to create an HMAC-SHA256 signature of the payload
- Compare this signature with the value in the
X-Melio-Signatureheader
Example in Node.js
const crypto = require("crypto");
const express = require("express");
const app = express();
// Your webhook endpoint
app.post("/webhook", express.raw({ type: "application/json" }), (req, res) => {
const signature = req.headers["x-melio-signature"];
const payload = req.body.toString();
// Your API secret key from Melio
const apiSecret = "your_api_secret_key";
// Generate the expected signature
const expectedSignature = crypto
.createHmac("sha256", apiSecret)
.update(payload)
.digest("hex");
// Verify the signature
if (
crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expectedSignature),
)
) {
// Signature is valid, process the webhook
const data = JSON.parse(payload);
// Handle the webhook event
console.log("Webhook received:", data);
res.status(200).send("Webhook received");
} else {
// Signature is invalid
console.error("Invalid signature");
res.status(401).send("Invalid signature");
}
});
app.listen(3000, () => {
console.log("Webhook server listening on port 3000");
});