Verify webhook events sent from BuyCoins

To be able to verify that requests to your Webhook URL are coming from BuyCoins and not a malicious actor:

Valid webhook requests have a header with the key X-Webhook-Signature which is essentially a HMAC SHA1 signature of the request body. This is signed using your Webhook Token.


  • Sign the entire request body with HMAC SHA1 using the Webhook Token.

  • Compare the result of this signing with the value of the header item with the key X-Webhook-Signature

  • If they match, then the request is indeed from BuyCoins.

Example with Ruby/Sinatra:

require 'sinatra'
require 'openssl'
post '/webhook' do
webhook_token = ENV['WEBHOOK_TOKEN']
body =
hook_signature = request.env['HTTP_X_WEBHOOK_SIGNATURE']
signature = OpenSSL::HMAC.hexdigest('sha1'), webhook_token, body)
is_valid = Rack::Utils.secure_compare(signature, hook_signature)
if is valid
#do something with token

Responding to a Webhook Request

  • You should respond to an event with a 200 OK. We consider this an acknowledgement by your application.

  • If your application responds with any status outside of the 2xx range, we will consider it unacknowledged and thus, continue to send it every hour for 3 hours.

  • You don't need to send a request body or some other parameter as it would be discarded - we only pay attention to the status code.