Securing Your Webhooks

For more information on PayJunction account structures, see the PayJunction Account Structures guide.

Why should you validate the webhook payload?

For security reasons, it is a good idea to ensure that the data is coming from PayJunction and has not been modified. Setting and using a secret token and validating the webhook payload data will give you confidence in the integrity of your webhook data.

Setting your secret token

You can create a secret token for a webhook in two ways:

  • Create a new webhook using the webhooks POST api and pass in the "secret" parameter.
  • Updating an existing webhook using the webhooks PUT api and pass in the "secret" parameter.

Note: Be sure to use a random string with a high amount of entropy.

Note: Make sure to never store this secret in an insecure location (This includes within the app source code) as anyone with this secret can effectively send fake data posing as PayJunction.