Webhook Relay
Sign up free

Verify Airwallex Webhook Signatures

Airwallex signs each webhook by concatenating the x-timestamp value with the raw request body and computing HMAC-SHA256 with your endpoint's webhook secret. The hex result is sent in the x-signature header. Paste the raw body, the timestamp, your secret and the signature.

Paste the x-signature value above to compare

Everything runs in your browser — the payload and secret never leave this page. Want to verify a different provider? See the webhook signature verifier hub or the generic HMAC generator.

How Airwallex signs webhooks

  1. Read the x-timestamp header (a Unix time in milliseconds).
  2. Build the signed value by concatenating the timestamp directly with the raw request body: timestamp first, body second, no separator.
  3. Compute HMAC-SHA256 of that value using your endpoint's webhook secret as the key, hex-encoded.
  4. Constant-time compare it to x-signature, and reject events whose x-timestamp is too old to block replays.
References & official docs:

Verify Airwallex signatures in code

Node.js
const crypto = require('crypto');

const ts = req.headers['x-timestamp'];
const expected = crypto
  .createHmac('sha256', process.env.AIRWALLEX_WEBHOOK_SECRET)
  .update(ts + rawBody)        // timestamp + raw body, no separator
  .digest('hex');

const valid = crypto.timingSafeEqual(
  Buffer.from(expected), Buffer.from(req.headers['x-signature']));
Python
import hmac, hashlib

ts = request.headers['x-timestamp']
expected = hmac.new(
    webhook_secret.encode(), ts.encode() + raw_body, hashlib.sha256).hexdigest()

valid = hmac.compare_digest(expected, request.headers['x-signature'])

Frequently asked questions

Which secret signs Airwallex webhooks?

The webhook secret shown when you create the webhook (notification URL) in the Airwallex web app. Each endpoint has its own secret and it is used as a raw string — it is not your API key or client ID.

Is x-timestamp in seconds or milliseconds?

Milliseconds since the Unix epoch. Compare it against the current time in milliseconds and reject events outside your tolerance. Airwallex does not mandate a window; a few minutes is a sensible default.

Why does verification fail with the correct secret?

Usually the body was re-serialized. Airwallex signs the exact raw bytes, so verify against the unparsed request body and prepend the timestamp with no separator (x-timestamp + body).

Verify other providers

Stripe logo StripeGitHub logo GitHubShopify logo ShopifySlack logo SlackTwilio logo Twilio Standard WebhooksSquare logo Square LINE MyFatoorah
HMAC GeneratorCloudEvents ValidatorWebhook Tester (Bin)

Receiving Airwallex webhooks on a server behind a firewall or on localhost? Webhook Relay can forward them to your internal service and even verify or transform them before delivery.