> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wepayout.co/llms.txt
> Use this file to discover all available pages before exploring further.
# Webhook Signature
> Learn how to verify webhook signatures to ensure secure communication
## Overview
Our webhooks include a signature in the request headers to ensure authenticity and integrity. This document explains how the signature is generated and how you can verify it to ensure that the webhook payload was sent by our system.
## Webhook Signature
When we send a webhook, the `x-webhook-wp-signature` header will contain a Bearer token. This token is a SHA256 hash that you can use to verify the authenticity of the webhook request.
### Payin Webhook Signature
For a Payin webhook, you need to concatenate the following fields in the exact order:
```
{id}{key}{amount}{api_key}
```
Where:
* `{id}`: The unique identifier of the transaction
* `{key}`: A specific key associated with the transaction. In the case of Payin creation, the value used for key is the `hash` field returned in the response
* `{amount}`: The amount involved in the transaction
* `{api_key}`: Your API key used for authentication
In Payin webhooks, for cases where the Payin is canceled and the `paid_amount` field in the webhook is null, the `{amount}` value used in the signature calculation is still the original amount that was specified when the Payin was created — not the null value.
Therefore, always ensure that signature verification uses the original Payin amount, regardless of the payment status.
### Payout Webhook Signature
For a Payout webhook, the following fields should be concatenated:
```
{invoice}{currency}{amount}{api_key}
```
Where:
* `{invoice}`: The invoice number of the payout transaction
* `{currency}`: The currency used in the payout
* `{amount}`: The amount of the payout
* `{api_key}`: Your API key used for authentication
### Automatic PIX Webhook Signature
For Automatic PIX related data (authorizations, schedules and payins' webhooks), the following fields should be concatenated:
```
{merchant_id}{contract_id}{api_key}
```
Where:
* `{merchant_id}`: Merchant ID of the user that created the authorization
* `{contract_id}`: Contract ID of the authorization
* `{api_key}`: API Key of the user that created the authorization
## Signature Verification
To verify the webhook's authenticity:
1. Concatenate the required fields (depending on whether the webhook is for a Payin, Payout, or Automatic PIX)
2. Generate a SHA256 hash of the concatenated string
3. Compare the generated hash with the token provided in the `x-webhook-wp-signature` header
If the hashes match, the webhook is verified as authentic.
## Examples
### Payin
For a Payin webhook with the following data:
* `{id}` = 123456
* `{key}` = ABCD
* `{amount}` = 10.00
* `{api_key}` = FF9876543210
**Concatenated string**: `123456ABCD10.00FF9876543210`
To verify the authenticity of the webhook, generate the SHA256 hash of this string and compare it with the `x-webhook-wp-signature` header.
### Payout
For a Payout webhook with the following data:
* `{invoice}` = WE00000001
* `{currency}` = BRL
* `{amount}` = 5.00
* `{api_key}` = FF99775566ffddhh
**Concatenated string**: `WE00000001BRL5.00FF99775566ffddhh`
To verify the authenticity of the webhook, generate the SHA256 hash of this string and compare it with the `x-webhook-wp-signature` header.
### Automatic PIX
For an Automatic PIX webhook with the following data:
* `{merchant_id}` = 467
* `{contract_id}` = A001
* `{api_key}` = FF99775566ffddhh
**Concatenated string**: `467A001FF99775566ffddhh`
To verify the authenticity of the webhook, generate the SHA256 hash of this string and compare it with the `x-webhook-wp-signature` header.
## Related Resources
Learn about KYC webhooks
Payin webhook callback
Payout webhook callback
For any further questions or issues, please reach out to our support team.