For each event delivery, Paylias will include a webhook signature header in the HTTP request for event authenticity verification provided that your webhook subscription has been setup with a shared secret key. The signature will be available in the headers under the key X-PAYLIAS-SIGNATURE. Paylias uses the entire Event to generate signature. The payload is first marshaled to its raw JSON bytes, then an HMAC is computed over those bytes using SHA‑512 with your secret as the key, and finally the resulting digest is encoded as a hexadecimal string.

Sample Code

Please review the sample code below carefully to ensure your verification code aligns with it and passes the signature example provided below.
The following code samples were generated with the help of AI. Please verify them before using them in production.
package webhook

import (
  "crypto/hmac"
  "crypto/sha512"
  "encoding/hex"
)

// VerifyPayloadSignature returns true if `signature` matches the HMAC‑SHA512 of `payload` using `secret`.
func VerifyPayloadSignature(secret string, payload []byte, signature string) bool {
  mac := hmac.New(sha512.New, []byte(secret))
  mac.Write(payload)
  expected := hex.EncodeToString(mac.Sum(nil))
  // hmac.Equal is timing‑safe
  return hmac.Equal([]byte(expected), []byte(signature))
}