You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Webhook delivery must POST a JSON payload to the configured URL and optionally sign the
request body with HMAC-SHA256 so receivers can verify authenticity.
Acceptance criteria
POST to channel_config.url with Content-Type: application/json
Header X-StellarNotify-Event: <event_type> present on every request
Header X-StellarNotify-Signature: sha256=<hmac> present when channel_config.secret is set
10-second request timeout
Non-2xx responses throw an error so the retry loop is triggered
Unit test: assert signature header is correct for known payload + secret
Unit test: assert delivery succeeds on 200 and fails on 500
Security note
The HMAC is computed over the raw JSON body string before parsing.
Document the verification algorithm in README.
Summary
Webhook delivery must POST a JSON payload to the configured URL and optionally sign the
request body with HMAC-SHA256 so receivers can verify authenticity.
Acceptance criteria
POSTtochannel_config.urlwithContent-Type: application/jsonX-StellarNotify-Event: <event_type>present on every requestX-StellarNotify-Signature: sha256=<hmac>present whenchannel_config.secretis setSecurity note
The HMAC is computed over the raw JSON body string before parsing.
Document the verification algorithm in README.