Secure webhooks

Webhook events are signed so that the system receiving the event can verify their authenticity.

This section applies to both OSF and Storefront Classic. This section applies to Open Storefront Framework (OSF) and Storefront Classic.

Webhook POST requests include an HMAC SHA512 signature in the X-Oracle-CC-WebHook-Signature header. This signature is calculated using the secret key to generate a hash of the raw UTF-8 bytes of the body of the post. A base64 encoding is then used to turn the hash into a string. If your secret key has been disclosed or compromised, you can generate a new one.

To generate a new secret key:

  1. Click the Settings icon.
  2. Click Web APIs and display the Webhook tab.
  3. Click the type of webhook you want to configure.
  4. Under HMAC Authentication, click Reset.

The following is sample code for generating a HMAC SHA512 signature from a secret key and content. In the case of webhooks, the content String would be the complete, unaltered body of the webhook POST request.

This or similar code can be used to verify that the message was sent by someone with access to the private key (presumably Oracle Commerce), and that the body of the message has not been altered after the fact:

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

 * This class provides an example of calculating an HMAC SHA512
 * signature in java.
public class CalcHmacSignature {

   * Calculate an HMAC SHA512 signature.

   * @param pSecretKey the secret key (in string form).
   * @param pContent the content to create a signture for. For Commerce
   * Cloud WebHooks this should be the complete, unmodified body of the post.
   * @return The Base64-encoded HMAC SHA512 signature.
   * @throws if there's a problem
  public static String getSignatureForBytes(String pSecretKey, String pContent)
    throws {

      try {
        // HMAC SHA512 key from the raw key bytes
        SecretKeySpec keySpec = new

        // get the Mac instance for HMAC SHA512
        Mac mac = Mac.getInstance("HmacSHA512");

        // initialize with our key spec

        // generate the signature from the UTF-8 bytes of the content
        byte[] digest = mac.doFinal(pContent.getBytes("UTF-8"));
        // base64-encode the hmac signature... there's a pre-JDK-8 one
        // tucked away in javax.xml.bind. If using Java 8, use the new
        // java.util.Base64 class instead.
        return javax.xml.bind.DatatypeConverter.printBase64Binary(
      } catch (Exception e) {
        throw new SignatureException("Failed to generate signature: " +

  public static void main(String[] args) throws SignatureException {
    if (args.length != 2) {
      System.out.println("Usage: CalcHmacSignature key content");
      System.out.println("  (Note that one shouldn't really have the key ");
      System.out.println("   passed in on the command line.)");
    System.out.println("Signature: " +  getSignatureForBytes(args[0],