Every webhook notification sent by xMenu includes a security signature that allows you to verify its authenticity.
Each webhook request contains the following header:
The signature is an HMAC-SHA256 hash of the request payload, computed using your Webhook Secret.
Webhook Secret
You can find your Webhook Secret in the restaurant panel under Tools > API Access.
Signature Validation
To verify that a webhook notification is authentic:
- Retrieve the
X-Xmenu-Signature header from the incoming request
- Compute the HMAC-SHA256 hash of the request body using your Webhook Secret
- Compare the computed hash with the signature from the header
- Reject the request if the signatures don’t match
Code Examples
Always validate the webhook signature before processing any data. Never trust incoming webhook requests without verification.