All Collections
Apps & Integrations
HTTP Post (Webhook) Security Settings
HTTP Post (Webhook) Security Settings
Liz Gannes avatar
Written by Liz Gannes
Updated over a week ago

MailMunch allows you to secure the incoming webhook request to your API endpoint by using a combination of your secret key and the request's timestamp.

In order to secure your requests, follow the few easy steps mentioned below.

Step 1: Edit your HTTP Post integration in your opt-in form's edit flow, and enter a Security Key.

Step 2: Once you've entered the secret key, all future webhook requests will contain the following two headers:

  • X-Mailmunch-Time: Unix epoch

  • Authorization: SHA256 hash of your secret key and timestamp encoded with base64.

The timestamp used for matching the authorization key should match with the timestamp in the X-MailMunch-Time header.

Here's a PHP code snippet to verify a secure request.

function is_secure_request() {
$headers = getallheaders();
$time = $headers['X-Mailmunch-Time'];
$authorization = isset($headers['Authorization']) ? $headers['Authorization'] : null;
if (empty($authorization)) return false;

list($algo, $hash) = explode(' ', $authorization);
$key = '#tToArng8YPJ4R'; // Replace with your own key

return hash('sha256', $key . $time, true) == base64_decode($hash);

if (is_secure_request()) {
// process contact



Did this answer your question?