# Verifying and Validating Webhooks

You should verify that webhooks are from ChargeOver by checking the shared secret token 
sent with the webhook. 

When you create a webhook in ChargeOver, you'll be provided with a `Shared secret token` value.

ChargeOver sends this shared secret along with every webhook in _two ways_:   

1. In the JSON payload as an attribute named `security_token` 
2. In a HTTP header named `X-ChargeOver-Key`

## Verifying a shared secret token in the HTTP headers

ChargeOver sends the shared secret token to you in this HTTP header: 

* `X-ChargeOver-Key`

For example, a HTTP request sent to you might look like this: 

```http
POST /path/to/your/endpoint HTTP/1.1
Content-Type: application/json
X-ChargeOver-Key: SFkJ3fy02n17YxNXm96tCGUKVTOAIBsH
X-ChargeOver-Source: example.chargeover.com
```

Verify that the shared secret token you receive matches what is in ChargeOver.

## Verifying a shared secret token in the webhook payload

ChargeOver sends the shared secret token to you in the JSON payload, in an attribute named: 

* `security_token`

For example, a JSON payload sent to you might look like: 

```json
{
    "context_str": "user",
    "context_id": 370,
    "event": "insert",
    "data": {
        "user": {
            "user_id": 370,
            "first_name": "Jane",
            "last_name": "Doe",
            "email": "jane.doe@example.com",
            "write_datetime": "2025-08-18 13:43:42",
            "mod_datetime": "2025-10-05 17:51:22",
            "name": "Jane Doe",
            "url_self": "https:\/\/example.chargeover.com\/admin\/r\/contact\/view\/370",
            "customer_id": 413
        }
    },
    "security_token": "SFkJ3fy02n17YxNXm96tCGUKVTOAIBsH"
}
```

Verify that the shared secret token you receive matches what is in ChargeOver.