Payload Signing Mechanism

The system sends WebHook payloads to third-party providers, which are publicly available. Implemented Payload Signing mechanism allows verifying if incoming requests aren't fabricated.

In this case, when our system calls any endpoint, it includes the X-Payload-Signature request header. It contains a base64 encrypted signature of sent payload which is calculated with usage of a private RSA Key and the SHA 512 algorithm.

Your endpoint should reject all incoming requests that contain an incorrect payload signature!

Below is an example of cURL request, similar to one, which the system calls:

curl -XPOST 'https://example.com/webhook_endpoint' \
     -H 'X-Payload-Signature: {{PAYLOAD_SIGNATURE_HERE}}' \
     -H "Content-type: application/json" \
     -d '{"example":true}'

Verifying Payload Signature

To verify the signature you will need:

A Public RSA Key generated for a WebHook, available from the organization panel (coming soon).
We strongly recommend storing the generated public key on the server-side (eg. in the environment variables).
The X-Payload-Signature header value
The raw payload, which the system sent to the endpoint (value of the -d argument from the example above)
Verify the X-Payload-Signature value using Public Key and raw payload.

Examples

Node.js
C#

Payload Signing Mechanism

Payload Signing Mechanism

Verifying Payload Signature

Examples

results matching ""

No results matching ""