Author picture Fongang Rodrique

How to Secure and Verify Adyen Webhooks with Hookdeck

Published


Webhook security and verification are critical components in assuring the security and integrity of your financial transactions. Adyen, a financial technology platform, deals with payments, which means it is crucial to limit the risk of fraudulent transactions unsecured webhooks can bring. If these webhooks are not properly secured, they can be vulnerable to security threats such as fraud, replay attacks, man-in-the-middle attacks, and unauthorized access. Learn more about webhook security here.

As a developer, dealing with each platform’s webhook security implementation often leads to a lot of maintenance issues, especially when having to add and manage new providers. Hookdeck removes this layer of complexity by letting you manage all of them using Integrations, and then you only have to implement Hookdeck’s signature verification on your server(s).

In this article, I will provide a step-by-step guide on how to set up and configure your Adyen webhooks manually and with Hookdeck. By the end of this article, you will have a comprehensive understanding of how Hookdeck can help secure your Adyen webhooks and protect your business from potential security threats.

How to manually secure Adyen webhooks

To manually secure your Adyen webhooks, you are required to perform the following steps:

  1. Enable HMAC signatures by generating a secret HMAC key in your Customer dashboard.
  2. Receive HMAC-signed payload, with the signature included in the additionalData field as hmacSignature.
  3. Construct the payload by concatenating values from the notification in a specific order and assign an empty string to any empty fields.
  4. Calculate the HMAC signature using SHA256 function and the binary representation of the payload and HMAC key. This gives a UTF-8 charset.
  5. Encode the outcome with base64-encode to get the result.
  6. Compare the calculated signature with the hmacSignature received in the notification.

If they match, it confirms that the notification was sent by Adyen and was not modified during transmission.

Learn more about verifying Adyen HMAC signatures here.

Verifying your webhooks this way guarantees security. However, these steps can present a whole new set of challenges, including implementation difficulties, compatibility issues, performance, maintenance, and the possibility of errors throughout the validation process.

How to secure and verify Adyen webhooks with Hookdeck

To verify your Adyen webhook notifications webhook with Hookdeck:

  1. Create a Hookdeck connection with Adyen as the source and your application as the destination.
  2. Create or select an existing Adyen webhook you wish to secure.
  3. Generate an HMAC key for it.
  4. Navigate to Integrations from your Hookdeck dashboard.
  5. Select Adyen from the list of platforms.
  6. Fill in the Webhook Signing Secret as the secret gotten above.
  7. Select the Adyen source connection to secure.
  8. Confirm.

You can select multiple sources and secure them at once.

You now see the Adyen integration at the top of the integration page and the connection showing a green shield on the connection page.

Hookdeck Adyen secure

Legitimate requests from Adyen get received successfully with a 200 status code while any request without the signature is flagged with Failed verification and doesn’t make it to your destination.

Adyen failed verification

Hookdeck can be used to centralize all your webhook security and verification, making it easy for you to only sign Hookdeck on your server. See the guide here.

Conclusion

In this article, we have seen why it is important to secure and verify Adyen webhooks, how manual verification can be complicated to handle, and the ease of implementing with Hookdeck.

In conclusion, using Hookdeck simplifies and streamlines the process of verifying Adyen webhooks, making it easier and more secure for developers to integrate quickly. By leveraging Hookdeck's automated verification process, you can be confident that you are accurately receiving and responding to Adyen webhook events, without having to manually perform the time-consuming and complex steps involved in manual verification.