Securing webhook request

EelcoEelco Member Posts: 4
Hi all,

We are using the Lightspeed webhooks a lot, and want to validate them now. We work in PHP.

"The header "X-Signature" should be available and is a md5 hash of the incoming payload . app_secret of the .env file"

Now when we retrieve a webhook, we get the data of it via $request->all(). I can also retrieve the X-Signature via $request->header('X-Signature')

However, when I do md5($request->all() . app_secret), this does not match the md5 hash in $request->header('X-Signature').

Anyone knows what I'm doing wrong?

Kind regards,


  • JaivyDaamJaivyDaam Lightspeed Staff Posts: 29 Lightspeed
    Hi @Eelco,

    this is a difficult one, it seems that the Hash process on the server doesn't match the one you are using. I will have to go over this with the Dev team to see if I can get a straight answer. 

    I will get back to you as soon as I've received an update. Thank you!
  • jamesratcliffejamesratcliffe Administrator, Lightspeed Staff Posts: 160 moderator
    @Eelco What's the output of $request->all()? This will usually give the request input as an array, so I don't think this is what you want.

    I would try $request->getBody().
    James Ratcliffe
    Lightspeed HQ
Sign In or Register to comment.