How to Secure and Verify Adyen Webhooks with Hookdeck

Webhook security and verification are critical components in assuring the security and integrity of your financial transactions. Adyen, a financial technology platform, deals with payments, which means it is crucial to limit the risk of fraudulent transactions unsecured webhooks can bring. If these webhooks are not properly secured, they can be vulnerable to security threats such as fraud, replay attacks, man-in-the-middle attacks, and unauthorized access. Learn more about webhook security vulnerabilities and explore our complete guide to webhook security.

As a developer, dealing with each platform's webhook security implementation often leads to a lot of maintenance issues, especially when having to add and manage new providers. This is why managing webhooks from multiple providers ends up costing a lot of time. Hookdeck removes this layer of complexity by letting you manage all of them using pre-configured Sources, and then you only have to implement Hookdeck's signature verification on your server(s).

In this article, I will provide a step-by-step guide on how to set up and configure your Adyen webhooks manually and with Hookdeck. By the end of this article, you will have a comprehensive understanding of how Hookdeck can help secure your Adyen webhooks and protect your business from potential security threats.

How to manually secure Adyen webhooks

To manually secure your Adyen webhooks, you are required to perform the following steps:

1. Enable HMAC signatures by generating a secret HMAC key in your Customer dashboard.
2. Receive HMAC-signed payload, with the signature included in the additionalData field as hmacSignature.
3. Construct the payload by concatenating values from the notification in a specific order and assign an empty string to any empty fields.
4. Calculate the HMAC signature using SHA256 function and the binary representation of the payload and HMAC key. This gives a UTF-8 charset.
5. Encode the outcome with base64-encode to get the result.
6. Compare the calculated signature with the hmacSignature received in the notification.

If they match, it confirms that the notification was sent by Adyen and was not modified during transmission.

Learn more about verifying Adyen HMAC signatures here.

Verifying your webhooks this way guarantees security. However, these steps can present a whole new set of challenges, including implementation difficulties, compatibility issues, performance, maintenance, and the possibility of errors throughout the validation process.

How to secure and verify Adyen webhooks with Hookdeck

To verify your Adyen webhook notifications webhook with Hookdeck:

1. Create or select an existing Adyen webhook you wish to secure.
2. Generate an HMAC key for it.
3. Create a Hookdeck connection with Adyen as the source and your application as the destination.
4. Fill in the Webhook Signing Secret as the secret gotten above.
5. Save.

Legitimate requests from Adyen get received successfully with a 200 status code while any request without the signature is flagged with Failed verification and doesn’t make it to your destination.

Hookdeck can be used to centralize all your webhook security and verification, making it easy for you to only sign Hookdeck on your server. See the guide here.

Conclusion

In this article, we have seen why it is important to secure and verify Adyen webhooks, how manual verification can be complicated to handle, and the ease of implementing with Hookdeck. For a comprehensive approach to webhook security, check out our 5-step webhook security checklist.

In conclusion, using Hookdeck simplifies and streamlines the process of verifying Adyen webhooks, making it easier and more secure for developers to integrate quickly. By leveraging Hookdeck's automated verification process, you can be confident that you are safely receiving Adyen webhook events, without having to manually perform the time-consuming and complex steps involved in manual verification. This approach helps you take control of your webhook reliability while following webhook deployment best practices.