Verifying signatures

Banked sends an HTTP header that allows customers to verify the webhook's contents

Each request we POST to your webhook endpoint will contain a digital signature, which allows you to verify that the request and payload came from Banked.

When you create the webhook in the developer console, you will need to provide a signature key. Banked will use this to digitally sign the payload of the request, and then provide that signature in a banked-signature HTTP header.

To verify the signature, you can follow these steps:

  1. Split the header using a period as the separator. The leading value will be a unix timestamp, and the second value is the signature.
  2. Concatenate the timestamp, a single period character and the payload of the request to generate the text to be signed (e.g. i.e. text to sign = timestamp + "." + raw request payload)
  3. Sign the text using HMAC-sha256 and your signature key that you set up earlier in the console.
  4. Verify the generated value matches the signature extracted from step one.
  5. You can also optionally choose to validate that the age of the timestamp is within an acceptable range.