HTTP Post (Webhook) Security Settings

MailMunch allows you to secure the incoming webhook request to your api endpoint by using a combination of your secret key and the request's timestamp.

In order to secure your requests, edit your HTTP Post integration in your optin form's edit flow and enter a secret key:


Once you've entered the secret key, all future webhook requests will contain the following two headers:

  • X-Mailmunch-Time: Unix epoch
  • Authorization: SHA256 hash of your secret key and timestamp encoded with base64.

The timestamp used for matching the authorization key should match with the timestamp in the X-MailMunch-Time header. 

Here's a PHP code snippet to verify a secure request.


function is_secure_request() {
    $headers = getallheaders();
    $time = $headers['X-Mailmunch-Time'];
    $authorization = isset($headers['Authorization']) ? $headers['Authorization'] : null;
    if (empty($authorization)) return false;

    list($algo, $hash) = explode(' ', $authorization);
    $key = '#tToArng8YPJ4R'; // Replace with your own key

    return hash('sha256', $key . $time, true) == base64_decode($hash);

if (is_secure_request()) {
    // process contact




Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Article is closed for comments.