Webhook Security
Sydx AI receives webhooks from Meta (WhatsApp) and payment providers. Both are secured with cryptographic signature verification.
Meta Webhook Verification
Initial Setup Verification
When you configure the webhook URL in the Meta Developer Console, Meta sends a verification request to confirm ownership. The server validates the verification token and responds with the required challenge.
Incoming Event Verification
Every incoming webhook from Meta includes a cryptographic signature:
- The signature is verified using industry-standard HMAC-SHA256 hashing
- If the signature does not match, the request is rejected with an error
- This prevents unauthorized parties from sending fake webhook events
Payment Webhook Verification
All payment-related webhooks include signature verification:
- Every payment callback is cryptographically verified before processing
- Invalid signatures are immediately rejected
- Duplicate events are safely handled to prevent double-processing
Idempotency
Payment webhook events are processed exactly once:
- The system checks if the event has already been processed
- Duplicate events are safely ignored
- All events are logged for audit purposes
General Security Measures
| Measure | Description |
|---|---|
| Signature Verification | All webhooks are cryptographically verified |
| HTTPS Only | Webhooks are only accepted over encrypted connections |
| Rate Limiting | Webhook endpoints are rate-limited to prevent abuse |
| Audit Logging | All webhook events are logged for compliance |
| Error Isolation | Webhook processing errors are contained and do not affect other services |
Security Best Practice
Never share your webhook verification tokens or API secrets. Rotate your tokens periodically and monitor your webhook logs for any unusual activity.