Skip to content
>
Mode: standard
Dashboard

Authenticating Webhook Requests

To guarantee the authenticity and origin of the HTTP requests directed to your API webhook endpoint, it is mandatory to validate both the X-CoinPayments-Signature header and the sender's IP address transmitted within each request.

All webhook messages from CoinPayments contain the same headers as used by merchants to sign requests:

'X-CoinPayments-Client': <clientId>,
'X-CoinPayments-Timestamp': <date>, (UTC ISO-8601)
'X-CoinPayments-Signature': <signature>

The merchant must perform cryptographic signature verification, utilizing the integration private key, to ensure the webhook request originated from the CoinPayments system.

See this section for more information on how API signatures are generated.

Crypto payments made easy