OpenPayd signs all webhook events it sends to your endpoints by including a
signature header in each event. This allows you to verify that the events were sent by OpenPayd and not by a third party.
Before you can verify signatures, you need to download your Public Key from your Dashboard’s Webhooks page.
Extract the signature from the header of the event notification.
Determine the expected signature by computing an HMAC with the SHA256 hash function. Use the OpenPayd Public Key as the key, and the webhook body as the message.
signature from the header and expected signature computed in Step 2.
Below is an example in JAVA for implementing the above steps.
KeyFactory keyFactory = KeyFactory.getInstance("RSA"); PublicKey publicKey = keyFactory.generatePublic(new X509EncodedKeySpec(base64Decoder.decode(publicKeyBase64))); Signature sig = Signature.getInstance("SHA256withRSA"); sig.initVerify(publicKey); sig.update(data.getBytes("UTF-8")); return sig.verify(base64Decoder.decode(signature));
To manually verify signatures during testing, you can use this handy online tool.
Updated about a year ago