Each request we POST to your webhook endpoints will contain a digital signature, which allows you to verify that the request and payload came from Banked.
When you set up a webhook, you will need to provide a signature key. Banked will use this to digitally sign the payload of the request, and then provide that signature in a banked-signature HTTP header.
To verify the signature, you can follow these steps:
- Split the header using a period as the separator. The leading value will be a Unix timestamp, and the second value is the signature.
- Concatenate the timestamp, a single period character, and the payload of the request to generate the text to be signed (e.g. i.e.
text to sign = timestamp + "." + raw request payload) - Sign the text using HMAC-sha256 and your signature key that you set up earlier in the console.
- Verify the generated value matches the signature extracted from step one.
- You can also optionally choose to validate that the age of the timestamp is within an acceptable range.