FazerCards Glossary
Webhook signature
An HMAC tag in the webhook request header so the receiver can verify the call really came from FazerCards and the body wasn't tampered with in transit.
Every FazerCards webhook ships with an X-FazerCards-Signature header — an HMAC-SHA256 of the raw request body keyed by the reseller's webhook secret. The receiver recomputes the HMAC and compares using a timing-safe equality check. If it doesn't match, the request is rejected. This prevents an attacker who knows your webhook URL from submitting forged 'order.completed' events to your bot.
Key facts
- Algorithm: HMAC-SHA256.
- Verify before any business-logic processing.
- Cookbook recipe: /docs/cookbook#handle-webhooks.