Verifying signatures
Banked sends an HTTP header that allows customers to verify the webhook's contents
Each request we POST
to your webhook endpoint will contain a digital signature, which allows you to verify that the request and payload came from Banked.
When you create the webhook in the developer console, you will need to provide a signature key. Banked will use this to digitally sign the payload of the request, and then provide that signature in a banked-signature
HTTP header.
To verify the signature, you can follow these steps:
- Split the header using a period as the separator. The leading value will be a unix timestamp, and the second value is the signature.
- Concatenate the timestamp, a single period character and the payload of the request to generate the text to be signed (e.g. i.e.
text to sign = timestamp + "." + raw request payload
) - Sign the text using HMAC-sha256 and your signature key that you set up earlier in the console.
- Verify the generated value matches the signature extracted from step one.
- You can also optionally choose to validate that the age of the timestamp is within an acceptable range.
Updated almost 3 years ago