All requests made by Bolt to your e-commerce webhook will be signed to ensure the authenticity of our requests. Your implementation should always verify the signature to make sure that it's always Bolt calling your end point.

Bolt signs the payload and includes the HMAC signature in the request header X-Bolt-Hmac-Sha256.There are two ways to verify the payload with this signature.

Method 1 — Pre-exchanged secret

You can obtain your 'signing secret' from Bolt and use it to verify the message. Bolt generates the signature by hashing the payload using SHA-256 hashing algorithm. The 'signing secret' is used as the salt in the hashing. The resulting value is then Base64 encoded to transmit as plain text.
You can follow the same steps to generate and verify the signature.

Note — For users of Node, you must escape Unicode characters for the signatures to match. We recommend using the npm package escape-unicode.

$hmac_header = $_SERVER['X-Bolt-Hmac-Sha256'];

function verify_webhook($payload, $hmac_header) {
  $computed_hmac = base64_encode(hash_hmac('sha256', $payload, BOLT_SIGNING_SECRET, true));
  return ($computed_hmac == $hmac_header);
}

hmac_header = request.headers["X-Bolt-Hmac-Sha256"]

def verify_bolt_hook(payload, hmac_header)
    digest  = OpenSSL::Digest::Digest.new('sha256')
    computed_hmac = Base64.encode64(OpenSSL::HMAC.digest(digest, BOLT_SIGNING_SECRET, payload)).strip

  computed_hmac == hmac_header
end

 Method 2 — Verify via API

Alternatively, you can use our /v1/merchant/verify_signature endpoint to verify the authenticity of these requests. You can simply forward the incoming request to this endpoint (along with your API key). Be sure to include the X-Bolt-Hmac-Sha256 header. The endpoint would respond with a HTTP 200 OK response if the signature is valid. Any other response would indicate an invalid signature and the payload should not be consumed.

With this method, you will have one less secret to manage since you do not need the 'signing secret' anymore.