Maica receives webhook notifications from Xero (for example Invoice and payment events). To prove each notification genuinely came from Xero, Maica verifies an HMAC-SHA256 signature on every inbound request using a signing key you configure. This article explains where that key comes from and how to set it.
When you set up a webhook in your Xero app, Xero issues a webhook signing key. Xero signs every webhook payload with it, and Maica recomputes the signature to confirm the request is authentic before processing it.
It is your organisation’s own Xero secret; it is not shared with other Maica customers.
The key is stored on the Maica integration setting and used only server-side, inside Apex, to verify inbound webhook signatures (XeroNotificationPostProc). Note:
It is never returned in any response, never shown in the UI after entry, and never written to a log.
Access to the field is controlled by object permissions and Field-Level Security; only administrators should have access.
If you regenerate the signing key in Xero, paste the new value into the Xero Webhooks Key field. Inbound webhooks signed with the old key will fail verification once Xero switches over, so update both sides together.
If Xero webhooks start returning signature failures (HTTP 401 from Maica), confirm the key in Salesforce exactly matches the current key in your Xero app.
Last updated
Was this helpful?
Was this helpful?
