Glossary

Signature header (Credicorp-Signature)

Credicorp-Signature is the header on every webhook carrying a signed timestamp (t=) and one or more HMAC-SHA256 values (v1=) you verify against your signing secret.

2 min read

Definition

The Credicorp-Signature header is how you prove a webhook is genuine. It carries the timestamp the signature was made and the HMAC of {t}.{rawbody}. You recompute the HMAC with your signing secret and compare in constant time, rejecting anything outside the 300-second tolerance. Multiple v1= values can appear during a secret rotation. See signature verification.

Frequently asked questions

Why multiple v1 values?

During a secret rotation, deliveries are signed with both the old and new secret so you never miss one. A match on any v1= is valid.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.