Discussions

Hi all,

I’m currently integrating LePay into a Node.js (Express) backend and I’m a bit unclear on the best way to handle webhook signature verification.

The documentation mentions validating the x-lepay-signature header using the secret key, but there’s no example provided for Node.js. I want to make sure I’m verifying the payload correctly and securely — especially to prevent replay attacks or tampering.

My question is:
What’s the recommended method for verifying LePay webhook signatures in Node.js? Should I use HMAC with SHA-256, and do I need to capture the raw body before parsing?

If anyone has sample code or has done this already, that would be super helpful. Just want to make sure I’m not missing any critical steps.

Thanks in advance

—dev_alex89