Webhooks deliver real-time transaction events from Quidax to your server. A poorly secured webhook endpoint can be exploited to inject false events into your system, causing you to credit users for transactions that never occurred.

To secure your webhook integration:

• Verify the webhook signature on every incoming request. Quidax signs webhook payloads with a shared secret. Your endpoint must validate this signature before processing any event. Reject unsigned or incorrectly signed requests.
• Whitelist Quidax IP addresses. To ensure you only receive webhooks from Quidax, restrict incoming traffic to your webhook endpoint to Quidax’s specific IP addresses.
• Use HTTPS for your webhook endpoint. Never accept webhook payloads over unencrypted HTTP.
• Implement idempotency handling. It is possible for the same webhook event to be delivered more than once (e.g., in a retry scenario). Your system should check whether an event ID has already been processed before acting on it.
• Respond promptly. Your webhook endpoint should return a 200 response as quickly as possible. Do any heavy processing asynchronously. Slow responses may cause Quidax’s webhook system to classify your endpoint as unavailable and retry delivery.