Skip to main content

Overview

All Moralis webhooks are cryptographically signed to ensure authenticity and integrity. By verifying each webhook signature, you can be confident that:
  • The request was sent by Moralis
  • The payload was not tampered with
  • Your application is protected against spoofed requests
Signature verification is strongly recommended for all production environments.

How Webhook Signing Works

Every webhook request includes a signature in the HTTP headers: 
x-signature
This signature is generated by:
  1. Serializing the webhook payload
  2. Appending your account’s secret
  3. Computing a Keccak-256 hash (via web3.utils.sha3)
Conceptually: 
signature = sha3(JSON.stringify(body) + secret)
The generated signature is then sent with the webhook request.

What Is the Secret Key?

The secret key is a Streams-specific credential associated with your Moralis account.
  • It is not your API key
  • It is used only for webhook verification
  • It can be retrieved via the Streams settings endpoint

Verifying Webhook Signatures

To verify a webhook:
  1. Read the x-signature header
  2. Recompute the signature using the request body and your secret
  3. Compare the two values
  4. Reject the request if they do not match
Verification should happen before processing the payload.

Example: Node.js (Express)

import { Web3 } from "web3";

function verifySignature(req, secret) {
  const providedSignature = req.headers["x-signature"];
  if (!providedSignature) {
    throw new Error("Missing signature");
  }

  const web3 = new Web3();
  const expectedSignature = web3.utils.sha3(
    JSON.stringify(req.body) + secret
  );

  if (expectedSignature !== providedSignature) {
    throw new Error("Invalid signature");
  }
}
Use this check at the start of your webhook handler. For handling test webhooks safely, explore Test Webhooks.

Security Best Practices

Always verify signatures

Do not trust:
  • Source IP
  • User-Agent headers
  • Payload structure alone

Use HTTPS

Webhook endpoints must be served over HTTPS to prevent interception or replay.

Keep handlers lightweight

Slow responses can cause retries or queue buildup. Explore Webhook Delivery to learn how to handle this.

Make handlers idempotent

Retries may result in duplicate payloads. Read more about Retries & Replays.

What Happens If Verification Fails?

If your endpoint:
  • Rejects the request (non-2xx)
  • Throws an error
  • Times out
Then:
  • The webhook is considered failed
  • Automatic retries will occur
  • The stream’s success rate may drop
Read Error Handling for more on failure handling.

Relationship to Other Webhook Concepts

TopicPage
Delivery guaranteesWebhook Delivery
Confirmed vs unconfirmedConfirmation & Finality
Test requestsTest Webhooks
Retries & recoveryRetries & Replays
Failure statesError Handling