Webhook Signatures

Verify the events that OpenPayd sends to your webhook endpoints.

OpenPayd signs all webhook events it sends to your endpoints by including a signature header in each event. This allows you to verify that the events were sent by OpenPayd and not by a third party.

Before you can verify signatures, you need to download your Public Key from your Dashboard’s Webhooks page.

Verifying Signatures

Sept 1:
Extract the signature from the header of the event notification.

Step 2:
Determine the expected signature by computing an HMAC with the SHA256 hash function. Use the OpenPayd Public Key as the key, and the webhook body as the message.

Step 3:
Compare the signature from the header and expected signature computed in Step 2.

Below is an example in JAVA for implementing the above steps.

KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey publicKey = keyFactory.generatePublic(new X509EncodedKeySpec(base64Decoder.decode(publicKeyBase64)));
Signature sig = Signature.getInstance("SHA256withRSA");
return sig.verify(base64Decoder.decode(signature));

To manually verify signatures during testing, you can use this handy online tool.