This page explains how to secure your webhook endpoint and verify that each webhook genuinely came from Adyen.
Verify HMAC before trusting a webhook
Adyen signs each webhook with a Hash-based Message Authentication Code (HMAC) using a secret key you generate in the Customer Area. By verifying the signature, you confirm that the event was sent by Adyen and was not modified in transit. Always verify the HMAC signature before processing the payload or trusting any of its data. Discard any webhook whose signature does not match.
Generate the HMAC key under Developers > Webhooks > your webhook > Security. Each key is linked to one endpoint, and test and live use different keys, so generate a new key when you go live.
For Standard webhooks, the signature arrives in the additionalData.hmacSignature field of the notification.
Verification outline
You can verify using one of Adyen's server libraries, or build your own. The outline of the manual approach:
Build the signing payload. Concatenate these fields from the notification, in order, delimited by colons, using an empty string for any empty field:
pspReference,originalReference,merchantAccountCode,merchantReference,value,currency,eventCode,success.Compute the HMAC. Calculate an HMAC over the payload using SHA-256 and the binary form of your hex HMAC key, then Base64-encode the result.
Compare. If your computed signature matches the
hmacSignaturefrom the webhook, the message is authentic and unmodified.
payload = join(":", [
pspReference, originalReference, merchantAccountCode,
merchantReference, value, currency, eventCode, success
])
expected = base64(hmac_sha256(key = hexToBinary(HMAC_KEY), data = payload))
if (expected == notification.additionalData.hmacSignature) {
// authentic: continue processing
} else {
// reject the webhook
}
Using an Adyen library is recommended, since it handles the payload construction and comparison for you. See Adyen's API libraries.
Additional protections
HMAC verifies authenticity and integrity. Combine it with these layers:
Authentication on your endpoint. Configure basic authentication (username and password) in the Customer Area so Adyen includes credentials your server checks. Always use HTTPS so the credentials are not exposed. Basic authentication confirms the sender, but not that the message was unmodified, which is why HMAC remains important. For the Standard webhook, OAuth 2.0 is also supported and is the stronger option.
IP and domain allowlisting. If your network requires it, allow Adyen's traffic by allowlisting the domain
out.adyen.com. Adyen does not publish a fixed list of IP addresses, because they change over time, so prefer domain allowlisting or regular DNS resolution rather than hardcoding IPs.
Adyen also requires HTTPS endpoints with TLS 1.2 or TLS 1.3 for all webhooks.
For how this fits into receiving and processing webhooks, see Handling Webhooks.