# Signature

To ensure the webhook body has not been tampered with, you should request an `Event-Signature` header to be sent with your event.

This contains a Hash-based Message Authentication Code ([HMAC](https://en.wikipedia.org/wiki/HMAC)) generated from a `shared secret` and the webhook body itself.

Contact your Worldpay Implementation Manager to enable the `Event-Signature` header and receive the `shared secret`.

## Verifying

### Step 1

Extract the `Event-Signature` HTTP(S) header from the incoming events webhook request.

* Can contain multiple signatures (comma separated)
* The order of the signatures can change so always use the keyId.


#### `Event-Signature`

Single signature example

```
Event-Signature:1/SHA256/XXXXXXXXXX
```

Multiple signatures example

```
Event-Signature:1/SHA256/XXXXXXXXXXXXXX,2/SHA256/YYYYYYYYYYYYYY
```

#### Format


```
`Event-Signature:{keyId}/{hashFunction}/{signature}`
```

| Parameter | Description |
|  --- | --- |
| `keyId` | Numeric reference for the `shared secret` used to sign the message. The `keyId` value changes/increments if a new signature is generated. |
| `hashFunction` | The cryptographic hash function used to create the [HMAC](https://en.wikipedia.org/wiki/HMAC). Currently supported: ([SHA256](https://en.wikipedia.org/wiki/SHA-2)) |
| `signature` | Hash-based Message Authentication Code ([HMAC](https://en.wikipedia.org/wiki/HMAC)). Generated from the webhook body and shared secret using the `hashFunction`. |
|  |  |


### Step 2

Take the webhook body and shared secret, then use the `hashFunction` to generate the HMAC signature.

### Step 3

Compare your generated HMAC signature from `(step 2)` with the `signature` received in the `Event-Signature` header.

* Signatures match - respond with a `200` HTTP(S) status code.
* Signatures don't match - discard the webhook body and return a `400` HTTP(S) status code.
* No signature received (and you are set up for HMAC) -  return a `400` HTTP status code.