Verify webhook signatures - Moflay Documentation

Verify every Moflay webhook before using the payload. Signature verification protects your backend from requests that did not come from Moflay’s webhook delivery system.

Required headers

Moflay webhooks use Svix-style signing headers:

Header	Description
`svix-id`	Unique message identifier
`svix-timestamp`	Signed delivery timestamp
`svix-signature`	Signature value to verify

Verify with Node.js

import { Webhook } from "svix";

const secret = process.env.MOFLAY_WEBHOOK_SIGNING_SECRET!;

export async function POST(request: Request) {
  const body = await request.text();

  const payload = new Webhook(secret).verify(body, {
    "svix-id": request.headers.get("svix-id") ?? "",
    "svix-timestamp": request.headers.get("svix-timestamp") ?? "",
    "svix-signature": request.headers.get("svix-signature") ?? "",
  });

  console.log(payload);

  return new Response(null, { status: 204 });
}

Verification rules

Read the raw request body before parsing JSON.
Verify the signature before updating internal records.
Return a non-2xx response when verification fails.
Store the signing secret in your backend environment variables.

After verification

After the signature is valid:

Check whether you already processed the webhook message.
Inspect the event type.
Update your internal order, invoice, or customer record.
Return a successful response after your handler finishes.

Webhook overview

Webhook events

​Required headers

​Verify with Node.js

​Verification rules

​After verification

​Related pages

Required headers

Verify with Node.js

Verification rules

After verification

Related pages