Webhook Identity Verification
How to verify that webhook deliveries genuinely come from Cresora.
Every webhook delivery from Cresora includes an HMAC-SHA256 signature. Verifying this signature confirms the delivery is from Cresora and hasn't been tampered with.
Why this matters
Without signature verification, any party who knows your webhook endpoint URL could send fake events and trigger unintended actions (e.g., fake payment.captured events to trigger order fulfillment).
Verification steps
- Read the
X-Cresora-Signatureheader:sha256=<hex> - Read the
X-Cresora-Timestampheader: Unix timestamp - Reject if timestamp > 5 minutes old (prevents replay attacks)
- Build the signing payload:
<timestamp>.<raw_body> - Compute
HMAC-SHA256(payload, signing_secret) - Compare to
X-Cresora-Signatureusing constant-time comparison
See Signature Verification → for complete code examples in Node.js and Python.
The signing secret
Your endpoint's signing secret is generated when you register the endpoint in the Partner Portal. It is:
- Unique per endpoint (different endpoints have different secrets)
- Displayed only once — save it to your secrets manager immediately
- Rotatable in the Partner Portal without downtime (update your secret manager first, then rotate)
Source IP allowlisting (optional)
For defense-in-depth, you can allowlist Cresora's webhook source IP ranges. Contact your Cresora account manager for the current IP list.
IP allowlisting alone is not sufficient — always verify the signature. IP addresses can be spoofed. The signature is the authoritative proof of identity.
Handling signature failures
If signature verification fails:
- Log the failure with the raw headers (not the body — it may be malicious)
- Return
400 Bad Request - Do not process the event
- Alert your security team if failures persist — it may indicate an active attack