DEV Community

Ivan Marynych
Ivan Marynych

Posted on

Verifying Monobank Acquiring API Webhook Sign with Ruby Script

The monobank cat with ruby


Webhooks play a crucial role in modern API integrations, allowing real-time communication between applications. However, ensuring the integrity and authenticity of incoming webhook data is essential to prevent security breaches. In this article, we will explore a Ruby script that demonstrates how to verify the Monobank Acquiring API webhook sign, ensuring the received data is from a trusted source. The script, available at the GitHub repository loqimean/monobank_webhook_sign_verification, provides a straightforward implementation to validate the webhook sign using Ruby.

Understanding the Monobank Acquiring API Webhook Sign: The Monobank Acquiring API sends webhook notifications containing transaction information. To verify the authenticity of these notifications, Monobank includes a webhook sign in the request headers. This sign is generated using a shared secret key and serves as proof of origin for the webhook data. The Ruby script we will discuss utilizes this sign to validate incoming webhook requests.

Implementation Details: The Ruby script available in the repository mentioned above showcases a concise and efficient method to verify the Monobank Acquiring API webhook sign. Let’s walk through the important components of the script:

  1. Dependencies: The script requires the ‘openssl’ and ‘base64’ libraries, which are commonly available in Ruby installations. If you encounter any issues related to these dependencies, make sure they are installed or update your Ruby environment accordingly.

  2. Verification Process: The script parses the incoming webhook request headers to extract the provided webhook sign and the body of the request. It then applies the same hashing algorithm used by Monobank (SHA1) to generate a local sign from the request body, using the shared secret key obtained from Monobank. Finally, it compares the locally generated sign with the one received in the webhook request headers. If they match, the script confirms the authenticity of the webhook data.

  3. Error Handling: To provide comprehensive feedback, the script incorporates error handling mechanisms. If any errors occur during the verification process, appropriate error messages are displayed, aiding in troubleshooting and debugging.


Webhook sign verification is a crucial step in securing API integrations, ensuring that data originates from trusted sources. The Ruby script provided in loqimean/monobank_webhook_sign_verification repository offers a simple yet effective way to verify the Monobank Acquiring API webhook sign. By implementing this script in your application, you can enhance the security of your Monobank webhook integrations, safeguarding the integrity of your data and preventing potential security breaches.

Remember to regularly update your secret key and keep it securely stored. Additionally, monitoring and logging webhook verification results can be beneficial for detecting any unusual activity or potential attacks.

Please note that while the provided script demonstrates a viable approach to verify Monobank Acquiring API webhook signs, it’s important to review and customize it based on your specific requirements and security practices.

Remember to regularly review the official Monobank documentation for any updates or changes to their API implementation.

Happy coding and secure webhook integrations! 🎉

Oldest comments (0)