Every webhook notification sent by xMenu includes a security signature that allows you to verify its authenticity.
Each webhook request contains the following header:
X-Xmenu-Signature: <hmac-sha256-signature>
Webhook Secret
You can find your Webhook Secret in the restaurant panel under Tools > API Access.
Signature Validation
To verify that a webhook notification is authentic:
- Retrieve the
X-Xmenu-Signature header from the incoming request
- Compute the HMAC-SHA256 hash of the request body using your Webhook Secret
- Compare the computed hash with the signature from the header
- Reject the request if the signatures don’t match
Code Examples
<?php
$webhook_secret = 'your-webhook-secret';
$req_headers = getallheaders();
$signature = $req_headers['X-Xmenu-Signature'];
$payload = file_get_contents('php://input');
$calc_hmac = hash_hmac('sha256', $payload, $webhook_secret);
if ($signature !== $calc_hmac) {
header('HTTP/1.0 401 Unauthorized');
exit('Webhook signature is not valid!');
}
$data = json_decode($payload);
// Process the webhook notification
Always validate the webhook signature before processing any data. Never trust incoming webhook requests without verification.
