diff --git a/.env.example b/.env.example
index 9f308d3..cd29496 100644
--- a/.env.example
+++ b/.env.example
@@ -9,3 +9,5 @@ BTCPAY_API_URL='http://localhost:23001/api/v1'
 
 LNDHUB_API_URL='http://localhost:3023'
 LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'
+
+WEBHOOKS_ALLOWED_IPS='10.1.1.163'
diff --git a/.env.production b/.env.production
index 243f0e4..d99e4fe 100644
--- a/.env.production
+++ b/.env.production
@@ -5,3 +5,5 @@ BTCPAY_API_URL='http://10.1.1.163:23001/api/v1'
 LNDHUB_LEGACY_API_URL='http://10.1.1.163:3026'
 LNDHUB_API_URL='http://10.1.1.163:3026'
 LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'
+
+WEBHOOKS_ALLOWED_IPS='10.1.1.163'
diff --git a/.env.test b/.env.test
index ce5e1f7..03daa76 100644
--- a/.env.test
+++ b/.env.test
@@ -1,5 +1,9 @@
 EJABBERD_API_URL='http://xmpp.example.com/api'
+
 BTCPAY_API_URL='http://btcpay.example.com/api/v1'
+
 LNDHUB_LEGACY_API_URL='http://localhost:3023'
 LNDHUB_API_URL='http://localhost:3026'
 LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'
+
+WEBHOOKS_ALLOWED_IPS='10.1.1.23'
diff --git a/app/controllers/webhooks_controller.rb b/app/controllers/webhooks_controller.rb
new file mode 100644
index 0000000..ae5ac96
--- /dev/null
+++ b/app/controllers/webhooks_controller.rb
@@ -0,0 +1,23 @@
+class WebhooksController < ApplicationController
+  skip_forgery_protection
+
+  before_action :authorize_request
+
+  def lndhub
+    begin
+      payload = JSON.parse(request.body.read, symbolize_names: true)
+    rescue
+      head :unprocessable_entity and return
+    end
+
+    head :ok
+  end
+
+  private
+
+  def authorize_request
+    if !ENV['WEBHOOKS_ALLOWED_IPS'].split(',').include?(request.remote_ip)
+      head :forbidden and return
+    end
+  end
+end
diff --git a/config/routes.rb b/config/routes.rb
index b0cf70e..12f3236 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -25,6 +25,8 @@ Rails.application.routes.draw do
   get 'lnurlpay/:address', to: 'lnurlpay#index', constraints: { address: /[^\/]+/}
   get 'lnurlpay/:address/invoice', to: 'lnurlpay#invoice', constraints: { address: /[^\/]+/}
 
+  post 'webhooks/lndhub', to: 'webhooks#lndhub'
+
   namespace :api do
     get 'kredits/onchain_btc_balance', to: 'kredits#onchain_btc_balance'
   end
diff --git a/spec/requests/webhooks_spec.rb b/spec/requests/webhooks_spec.rb
new file mode 100644
index 0000000..30d28db
--- /dev/null
+++ b/spec/requests/webhooks_spec.rb
@@ -0,0 +1,20 @@
+require 'rails_helper'
+
+RSpec.describe "Webhooks", type: :request do
+  describe "Allowed IP addresses" do
+    context "IP not allowed" do
+      it "returns a 403 status" do
+        post "/webhooks/lndhub"
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
+    context "IP allowed" do
+      it "returns a 403 status" do
+        ENV['WEBHOOKS_ALLOWED_IPS'] = '127.0.0.1'
+        post "/webhooks/lndhub"
+        expect(response).to have_http_status(:unprocessable_entity)
+      end
+    end
+  end
+end