Has RevenueCat recently removed support for the x-revenuecat-signature header in webhook requests? If so, is the API authorization header now the only supported method for webhook authentication and security? Also, I am not seeing any option in the RevenueCat dashboard to create or retrieve a webhook secret key—has this functionality been removed or relocated?
Answer
Is x-revenuecat-signature removed, and where is webhook secret key?
Best answer by chris_perriam
Webhooks dispatched by RevenueCat are protected with industry standard HTTPS using the revenuecat.com domain. We don't provide a x-revenuecat-signature header (or similar) mechanism.
Could you please let me know where you heard of the x-revenuecat-signature header? We'd like to ensure that this source of information is updated.
I’ve attached a screenshot showing where an Authorization header can be configured when setting up a new Webhook in RevenueCat.
This post has been closed for comments
+6Webhooks dispatched by RevenueCat are protected with industry standard HTTPS using the revenuecat.com domain. We don't provide a x-revenuecat-signature header (or similar) mechanism.
Could you please let me know where you heard of the x-revenuecat-signature header? We'd like to ensure that this source of information is updated.
I’ve attached a screenshot showing where an Authorization header can be configured when setting up a new Webhook in RevenueCat.
+6Authorization HTTP header of our webhook requests.
This is probably what you’re looking for by “REVENUECAT_WEBHOOK_SECRET”. If you do not have an Authorization Header Value configured, your “secret” would be empty.
This should work:
--header 'Authorization: your_webhook_secret_here'
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.