OpenPayd Developer Hub

Welcome to the OpenPayd developer hub. You'll find comprehensive guides and documentation to help you start working with OpenPayd as quickly as possible, as well as support if you get stuck. Let's jump right in!

API Reference    Guides

Webhook Signatures

Verify the events that OpenPayd sends to your webhook endpoints.

OpenPayd signs all webhook events it sends to your endpoints by including a signature header in each event. This allows you to verify that the events were sent by OpenPayd and not by a third party.

Before you can verify signatures, you need to download your Public Key from your Dashboard’s Webhooks page.

Verifying Signatures

Sept 1:
Extract the signature from the header of the event notification.

Step 2:
Determine the expected signature by computing an HMAC with the SHA256 hash function. Use the OpenPayd Public Key as the key, and the webhook body as the message.

Step 3:
Compare the signature from the header and expected signature computed in Step 2.

Below is an example in JAVA for implementing the above steps.

KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey publicKey = keyFactory.generatePublic(new X509EncodedKeySpec(base64Decoder.decode(publicKeyBase64)));
Signature sig = Signature.getInstance("SHA256withRSA");
sig.initVerify(publicKey);
sig.update(data.getBytes("UTF-8"));
return sig.verify(base64Decoder.decode(signature));

To manually verify signatures during testing, you can use this handy online tool.

Updated 10 months ago

Webhook Signatures


Verify the events that OpenPayd sends to your webhook endpoints.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.