> For the complete documentation index, see [llms.txt](https://knowledge.maica.com.au/maica-knowledge-base/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://knowledge.maica.com.au/maica-knowledge-base/maica-administration-guide/security/xero-webhook-signing-key-configuration.md). # Xero Webhook Signing Key — Configuration Maica receives webhook notifications from Xero (for example Invoice and payment events). To prove each notification genuinely came from Xero, Maica verifies an HMAC-SHA256 signature on every inbound request using a signing key you configure. This article explains where that key comes from and how to set it. ### What is the key? When you set up a webhook in your Xero app, Xero issues a webhook signing key. Xero signs every webhook payload with it, and Maica recomputes the signature to confirm the request is authentic before processing it. {% hint style="info" %} It is your organisation’s own Xero secret; it is not shared with other Maica customers. {% endhint %} ### Where is it stored and how is it used? The key is stored on the Maica integration setting and used only server-side, inside Apex, to verify inbound webhook signatures (XeroNotificationPostProc). Note: * It is never returned in any response, never shown in the UI after entry, and never written to a log. * Access to the field is controlled by object permissions and Field-Level Security; only administrators should have access. ### How to configure your key? {% stepper %} {% step %} ### In Xero Open your app’s webhook configuration and copy the webhook signing key. {% endstep %} {% step %} ### In the Maica Integration Settings Paste the value into the Xero Webhooks Key field. {% endstep %} {% step %} ### Save Maica will begin verifying inbound Xero webhooks against this key. {% endstep %} {% endstepper %} ### How to rotate your key? If you regenerate the signing key in Xero, paste the new value into the Xero Webhooks Key field. Inbound webhooks signed with the old key will fail verification once Xero switches over, so update both sides together. {% hint style="info" %} If Xero webhooks start returning signature failures (HTTP 401 from Maica), confirm the key in Salesforce exactly matches the current key in your Xero app. {% endhint %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://knowledge.maica.com.au/maica-knowledge-base/maica-administration-guide/security/xero-webhook-signing-key-configuration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.