Skip to main content

Documentation Index

Fetch the complete documentation index at: https://api-doc.xmenu.it/llms.txt

Use this file to discover all available pages before exploring further.

Every webhook notification sent by xMenu includes a security signature that allows you to verify its authenticity.

Security Header

Each webhook request contains the following header: 
X-Xmenu-Signature: <hmac-sha256-signature>
The signature is an HMAC-SHA256 hash of the request payload, computed using your Webhook Secret.

Webhook Secret

You can find your Webhook Secret in the restaurant panel under Tools > API Access.

Signature Validation

To verify that a webhook notification is authentic:
  1. Retrieve the X-Xmenu-Signature header from the incoming request
  2. Compute the HMAC-SHA256 hash of the request body using your Webhook Secret
  3. Compare the computed hash with the signature from the header
  4. Reject the request if the signatures don’t match

Code Examples

<?php
$webhook_secret = 'your-webhook-secret';
$req_headers = getallheaders();
$signature = $req_headers['X-Xmenu-Signature'];
$payload = file_get_contents('php://input');
$calc_hmac = hash_hmac('sha256', $payload, $webhook_secret);

if ($signature !== $calc_hmac) {
    header('HTTP/1.0 401 Unauthorized');
    exit('Webhook signature is not valid!');
}

$data = json_decode($payload);
// Process the webhook notification
Always validate the webhook signature before processing any data. Never trust incoming webhook requests without verification.