Skip to main content
Each request includes X-Minisend-Signature: an HMAC-SHA256 hex of the raw JSON body, keyed with your webhook_secret. Verify it before processing.
Find your webhook_secret in Settings. Treat it like a password.
Use a timing-safe comparison. === is vulnerable to timing attacks.

Sign over the raw body

The signature covers the exact bytes Minisend sent. Re-stringifying the parsed body (JSON.stringify(req.body)) can produce different bytes and break verification. Capture the raw body before parsing. In Express, use express.raw({ type: 'application/json' }) for the webhook route.

Verify

Full Express handler

Return 2xx before running business logic. Anything taking >10s triggers a retry.