Generate an HMAC key in the Adyen Customer Area for your notification webhook endpoint and store it securely in your server environment
For each incoming notification item, extract the fields required for HMAC computation: value, currency, merchantReference, PSP reference, event code, and success flag in the correct canonical order
Concatenate these fields using the colon-separated format specified in Adyen's documentation and compute an HMAC-SHA256 digest using your HMAC key
Compare the computed digest to the additionalData.hmacSignature field in the notification using a constant-time comparison; reject notifications where signatures do not match
Return an HTTP 200 response with the body content Adyen expects to acknowledge receipt; failure to acknowledge will cause Adyen to retry the notification
Implement idempotency using the PSP reference and event code combination to prevent duplicate processing of retried notifications
Known gotchas
The field order for HMAC computation is strictly defined by Adyen; using the wrong field order or omitting a required field will produce a signature mismatch even with the correct key
Adyen notifications use a specific string encoding for boolean success values; ensure your concatenation matches Adyen's exact format rather than your language's default boolean serialization
Adyen will retry unacknowledged notifications multiple times with exponential backoff; ensure your handler is idempotent because the same event may arrive more than once
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp