Verifying and Validating Webhooks

You should verify that webhooks are from ChargeOver by checking the shared secret token sent with the webhook.

When you create a webhook in ChargeOver, you'll be provided with a Shared secret token value.

ChargeOver sends this shared secret along with every webhook in two ways:

In the JSON payload as an attribute named security_token
In a HTTP header named X-ChargeOver-Key

Verifying a shared secret token in the HTTP headers

ChargeOver sends the shared secret token to you in this HTTP header:

X-ChargeOver-Key

For example, a HTTP request sent to you might look like this:

POST /path/to/your/endpoint HTTP/1.1
Content-Type: application/json
X-ChargeOver-Key: SFkJ3fy02n17YxNXm96tCGUKVTOAIBsH
X-ChargeOver-Source: example.chargeover.com

Verify that the shared secret token you receive matches what is in ChargeOver.

Verifying a shared secret token in the webhook payload

ChargeOver sends the shared secret token to you in the JSON payload, in an attribute named:

security_token

For example, a JSON payload sent to you might look like:

{
    "context_str": "user",
    "context_id": 370,
    "event": "insert",
    "data": {
        "user": {
            "user_id": 370,
            "first_name": "Jane",
            "last_name": "Doe",
            "email": "jane.doe@example.com",
            "write_datetime": "2025-08-18 13:43:42",
            "mod_datetime": "2025-10-05 17:51:22",
            "name": "Jane Doe",
            "url_self": "https:\/\/example.chargeover.com\/admin\/r\/contact\/view\/370",
            "customer_id": 413
        }
    },
    "security_token": "SFkJ3fy02n17YxNXm96tCGUKVTOAIBsH"
}

Verify that the shared secret token you receive matches what is in ChargeOver.

Verifying a shared secret token in the HTTP headers​

Verifying a shared secret token in the webhook payload​

Verifying a shared secret token in the HTTP headers

Verifying a shared secret token in the webhook payload