Signing Requests
Verify webhook requests from Lemon Squeezy by using a signing secret to generate and compare hashes of the payload.
To ensure that webhook requests are coming from Lemon Squeezy, you will be asked to enter a signing secret when creating your webhook. The secret can be anything you want but is normally a random string between 6 and 40 characters in length.
When the webhook request is sent, Lemon Squeezy will use the signing secret to generate a hash of the payload and send the hash in the X-Signature
header of the request. You can use the same secret to calculate the hash in your application and check it against the request signature to verify that the hashes match.
Examples
Lemon Squeezy generates the hash using an HMAC hex digest, and the process for calculating the hash differs across programming languages.