Webhook Signatures

Securely verify that SamaPay sent the event.

SamaPay signs all outgoing webhook events with a secure HMAC SHA-256 signature. This ensures that the event was not tampered with and was indeed sent by our platform.

Verification Logic

We include a Sama-Signature header in every POST request.

Step 1: Get Secret

Retrieve your Webhook Secret from the Settings > The Bridge tab in your Merchant Hub.

Step 2: Generate HMAC

Construct a hex-encoded HMAC SHA-256 signature using your secret and the raw JSON request body.

const crypto = require('crypto');

const secret = 'your_merchant_secret';
const payload = JSON.stringify(req.body); // Use raw body
const signature = crypto
  .createHmac('sha256', secret)
  .update(payload)
  .digest('hex');

if (signature === req.headers['sama-signature']) {
  // Event is authentic!
}
GH
TechHive SamaPay Docs
Last updated Mar 2026