diff --git a/webhook.go b/webhook.go
new file mode 100644
index 0000000..716e7ed
--- /dev/null
+++ b/webhook.go
@@ -0,0 +1,91 @@
+package datatrans
+
+import (
+	"bytes"
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"strings"
+)
+
+var (
+	ErrWebhookMissingSignature  = errors.New("malformed header Datatrans-Signature")
+	ErrWebhookMismatchSignature = errors.New("mismatch of Datatrans-Signature")
+)
+
+// https://api-reference.datatrans.ch/#section/Webhook/Webhook-signing
+type WebhookOption struct {
+	Sign2HMACKey string
+	ErrorHandler func(error) http.Handler
+}
+
+// ValidateWebhook an HTTP middleware which checks that the signature in the header is valid.
+func ValidateWebhook(wo WebhookOption) (func(next http.Handler) http.Handler, error) {
+	if wo.ErrorHandler == nil {
+		wo.ErrorHandler = func(err error) http.Handler {
+			return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				http.Error(w, err.Error(), http.StatusInternalServerError)
+			})
+		}
+	}
+
+	key, err := hex.DecodeString(wo.Sign2HMACKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to hex decode Sign2HMACKey")
+	}
+
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Datatrans-Signature: t=1559303131511,s0=33819a1220fd8e38fc5bad3f57ef31095fac0deb38c001ba347e694f48ffe2fc
+
+			tm, s0 := extractTimeAndHash(r.Header.Get("Datatrans-Signature"))
+			if tm == "" || len(s0) == 0 {
+				wo.ErrorHandler(ErrWebhookMissingSignature).ServeHTTP(w, r)
+				return
+			}
+
+			hmv := hmac.New(sha256.New, key)
+			hmv.Write([]byte(tm))
+
+			var buf bytes.Buffer
+			if _, err := io.Copy(io.MultiWriter(&buf, hmv), r.Body); err != nil {
+				_ = r.Body.Close()
+				wo.ErrorHandler(errors.New("ValidateWebhook: copy failed")).ServeHTTP(w, r)
+				return
+			}
+			_ = r.Body.Close()
+			r.Body = ioutil.NopCloser(&buf)
+
+			if !hmac.Equal(hmv.Sum(nil), []byte(s0)) {
+				wo.ErrorHandler(ErrWebhookMismatchSignature).ServeHTTP(w, r)
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}, nil
+}
+
+func extractTimeAndHash(headerValue string) (time string, s0hashB []byte) {
+	lhv := len(headerValue)
+	if lhv == 0 {
+		return "", nil
+	}
+	commaIDX := strings.IndexRune(headerValue, ',')
+	if commaIDX < 1 {
+		return "", nil
+	}
+
+	time = headerValue[2:commaIDX]
+	if lhv < commaIDX+4 {
+		return "", nil
+	}
+	s0hash := headerValue[commaIDX+4:]
+	s0hashB, _ = hex.DecodeString(s0hash)
+	return time, s0hashB
+}
diff --git a/webhook_test.go b/webhook_test.go
new file mode 100644
index 0000000..f95b3b5
--- /dev/null
+++ b/webhook_test.go
@@ -0,0 +1,95 @@
+package datatrans
+
+import (
+	"bytes"
+	"crypto/hmac"
+	"crypto/sha256"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func must(t *testing.T, err error) {
+	t.Helper()
+	if err != nil {
+		t.Fatalf("%s\n%#v", err, err)
+	}
+}
+
+func Test_extractTimeAndHash(t *testing.T) {
+	tests := []struct {
+		name        string
+		headerValue string
+		wantTime    string
+		wantS0hash  []byte
+	}{
+		{
+			name:        "ok",
+			headerValue: "t=1559303131511,s0=33819a1220fd8e38fc5bad3f57ef31095fac0deb38c001ba347e694f48ffe2fc",
+			wantTime:    "1559303131511",
+			wantS0hash:  []byte{0x33, 0x81, 0x9a, 0x12, 0x20, 0xfd, 0x8e, 0x38, 0xfc, 0x5b, 0xad, 0x3f, 0x57, 0xef, 0x31, 0x9, 0x5f, 0xac, 0xd, 0xeb, 0x38, 0xc0, 0x1, 0xba, 0x34, 0x7e, 0x69, 0x4f, 0x48, 0xff, 0xe2, 0xfc},
+		},
+		{
+			name:        "empty vals",
+			headerValue: "t=,s0=",
+		},
+		{
+			name: "empty",
+		},
+		{
+			name:        "missing comma",
+			headerValue: "t=1559303131511s0=33",
+		},
+		{
+			name:        "comma begin",
+			headerValue: ",t=1559303131511s0=33",
+		},
+		{
+			name:        "comma end",
+			headerValue: "t=1559303131511s0=33,",
+		},
+		{
+			name:        "comma only",
+			headerValue: ",",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotTime, gotS0hash := extractTimeAndHash(tt.headerValue)
+			if gotTime != tt.wantTime {
+				t.Errorf("extractTimeAndHash() gotTime = %v, want %v", gotTime, tt.wantTime)
+			}
+			if !bytes.Equal(gotS0hash, tt.wantS0hash) {
+				t.Errorf("extractTimeAndHash() gotS0hash = %x, want %x", gotS0hash, tt.wantS0hash)
+			}
+		})
+	}
+}
+
+func TestValidateWebhook(t *testing.T) {
+	sign2Key := []byte(`asdfasd^%@^&%fa`)
+	const timeStr = `1559303131511`
+
+	mw, err := ValidateWebhook(WebhookOption{
+		Sign2HMACKey: "617364666173645e25405e26256661",
+	})
+	must(t, err)
+
+	const datatransBody = `{"transactionId": "210215103042148501"}`
+	r := httptest.NewRequest("POST", "/", strings.NewReader(datatransBody))
+
+	ht := hmac.New(sha256.New, sign2Key)
+	fmt.Fprintf(ht, "%s%s", timeStr, datatransBody)
+	r.Header.Set("Datatrans-Signature", fmt.Sprintf("t=%s,s0=%x", timeStr, ht.Sum(nil)))
+
+	w := httptest.NewRecorder()
+	mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, "success")
+	})).ServeHTTP(w, r)
+
+	if w.Body.String() != "success" {
+		t.Error("something is wrong")
+	}
+}