Signature verification
Tesouro signs webhook deliveries using HMAC. Each request includes a signature you can verify against a shared secret to confirm the payload originated from Tesouro and wasn’t tampered with.
To set up a signing secret for your subscription, contact your Tesouro implementation team.
To verify each incoming request:
- Extract the signature from the
X-Webhook-Signature header
- Compute the expected signature using your webhook secret and the raw request body
- Compare signatures to verify they match
- Reject invalid requests by returning a
401 status
Always verify webhook signatures before processing events. This prevents malicious actors from
sending fake webhooks to trigger unauthorized actions in your system.
Secret rotation
Signing secrets can be rotated without downtime:
- Add the new secret before removing the old one
- Verify incoming requests against both secrets during the rotation period
- Remove the old secret only after all in-flight webhooks have been processed
Contact Tesouro support to rotate your webhook signing secret.
Endpoint validation
In addition to signature verification:
- Register only HTTPS endpoints; plain HTTP is not supported
- Where possible, restrict your webhook handler to known Tesouro source IPs
- Return
401 for requests that fail validation
Additional options
Tesouro also supports mutual TLS (mTLS) for endpoints that require it. Contact your Tesouro implementation team to enable it.
