Skip to main content

Webhook Security

In a nutshell

Webhook security protects your integration from forged events and duplicate processing.

Headers

Merchant webhook deliveries can include:
HeaderDescription
x-nombasub-eventEvent type.
x-nombasub-webhook-idDelivery ID.
x-nombasub-tenant-idTenant ID.
x-nombasub-timestampEvent timestamp.
x-nombasub-signatureSignature when signing is configured.

Verification

When a signing secret is configured, verify the signature before processing the webhook. The signature is based on event type, webhook ID, tenant ID, timestamp, and your webhook secret.

Best practices

  • Use HTTPS webhook URLs.
  • Return 2xx quickly.
  • Process events asynchronously.
  • Store processed webhook IDs to prevent duplicates.
  • Treat webhook payloads as notifications; fetch fresh data when public read endpoints are available.