Skip to main content
Webhook security ensures that the events your application receives genuinely come from ZendFi and have not been tampered with. Every webhook includes a cryptographic signature that you must verify before processing.

Signature Verification

Each webhook request includes these headers:
HeaderDescription
X-ZendFi-SignatureHMAC-SHA256 signature of the request body
X-ZendFi-EventEvent type (e.g., payment.confirmed)

How Signatures Work

The SDK handlers do all of this automatically. If you need to verify manually, here is the algorithm:

Manual Verification

Using the SDK

The SDK handles verification automatically in the webhook handlers:
Or verify manually with the client:

Replay Prevention

An attacker could intercept a valid webhook and re-send it to your endpoint. Protect against this with two mechanisms:

1. Timestamp Validation

Check that the webhook timestamp is within an acceptable window (typically 5 minutes):

2. Idempotency / Deduplication

Track which events you have already processed and skip duplicates:
For multi-instance deployments, use a shared store:

Webhook Secret Management

Your webhook secret (whsec_...) is used to verify signatures. Protect it with the same care as your API key:
  • Store it in environment variables, not in code
  • Do not commit it to version control
  • Rotate it if you suspect it has been compromised
To rotate your webhook secret:
  1. Generate a new secret in the ZendFi Dashboard
  2. Update your application’s ZENDFI_WEBHOOK_SECRET environment variable
  3. Deploy the update
  4. ZendFi starts signing with the new secret immediately

Error Handling in Webhooks

Your webhook endpoint should always return a 200 status code to acknowledge receipt, even if processing fails. This prevents ZendFi from retrying the delivery unnecessarily.
If your endpoint returns a non-2xx status, ZendFi retries with exponential backoff:
AttemptDelay
1Immediate
21 minute
35 minutes
430 minutes
52 hours
612 hours
7+Dead letter queue
After all retries are exhausted, the event moves to the dead letter queue where it can be manually replayed from the dashboard.

HTTPS Requirement

ZendFi only delivers webhooks to HTTPS endpoints in production. Plaintext HTTP endpoints will not receive events. During local development, use the CLI webhook tunnel which provides HTTPS automatically:

Verification Checklist

Before going to production, verify:
  • Webhook secret is stored in environment variables
  • Signature verification is enabled (automatic with SDK handlers)
  • Timestamp tolerance is set (SDK default: 5 minutes)
  • Event deduplication is implemented
  • Endpoint returns 200 for all received webhooks
  • Endpoint uses HTTPS
  • Error handling does not leak sensitive information in responses
  • Webhook events are logged for debugging and audit