Webhooks security

We recommend verifying each webhook request to make sure it comes from Ecwid and not altered or corrupted during transmission. You can do that by validating the webhook signature coming with each webhook.

Where to find the signature

A webhook signature is sent in the X-Ecwid-Webhook-Signature HTTP header with each webhook request

How is the signature generated

The signature is an encoded string generated by concatenating the following webhook data (delimiter is a dot .):

  • eventCreated (webhook event timestamp)
  • eventId (webhook event ID)

The resulting string is encoded using HMAC SHA-256 and using client_secret as the shared secret key.

Important: client_secret is not your access token that looks like secret_*. It is a separate value you received, when you registered the application with Ecwid.

How to validate the signature

To verify a webhook in your application:

  1. Get the signature from the request headers
  2. Get eventCreated and eventId values from the request body
  3. Encode the string '{eventCreated}.{eventId}' using HMAC SHA256 (using client_secret as the shared secret key) and pass it through Base64 encoding
  4. Compare the resulting string with the received webhook signature