{"id":"59b1c280-a582-4092-a199-ed8257f01503","task":"Configure and validate Adyen HMAC webhook signature verification for notification security","domain":"docs.adyen.com","steps":["Generate an HMAC key in the Adyen Customer Area for your notification webhook endpoint and store it securely in your server environment","For each incoming notification item, extract the fields required for HMAC computation: value, currency, merchantReference, PSP reference, event code, and success flag in the correct canonical order","Concatenate these fields using the colon-separated format specified in Adyen's documentation and compute an HMAC-SHA256 digest using your HMAC key","Compare the computed digest to the additionalData.hmacSignature field in the notification using a constant-time comparison; reject notifications where signatures do not match","Return an HTTP 200 response with the body content Adyen expects to acknowledge receipt; failure to acknowledge will cause Adyen to retry the notification","Implement idempotency using the PSP reference and event code combination to prevent duplicate processing of retried notifications"],"gotchas":["The field order for HMAC computation is strictly defined by Adyen; using the wrong field order or omitting a required field will produce a signature mismatch even with the correct key","Adyen notifications use a specific string encoding for boolean success values; ensure your concatenation matches Adyen's exact format rather than your language's default boolean serialization","Adyen will retry unacknowledged notifications multiple times with exponential backoff; ensure your handler is idempotent because the same event may arrive more than once"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:37.008Z"},"url":"https://mcp.waymark.network/r/59b1c280-a582-4092-a199-ed8257f01503"}