The JWT Payload is posted in each webhook in the body json under the key
jwt. Decode the
jwt with a JWT library and make sure you specify algorithm
RS256 when you validate the
Use HIPS Public RSA key to validate the JWT.
If you are validating Hips webhooks with JWT you should only trust the data within the JWT, and only if the JWT signature is verified.
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu269xcyVkOZLP93D82g8 vsLgLMDIfc853syoQ6gu0K3kwMcSru9iNhj4CWEWp4t7ozDd3o+t6Y6scZtLnSrM ZhoUkdiOIK7hqF6e9tS+vT8vFOkrmsGysQJbY2IBaX4WknOsQEjARw04S37g6XUB ERXlC0VwUXrUZVsNCYrE0sa0OvZ/IxHLJrt+fpTOUFrcYowe6Ha7sZEz2ju1x8nq foEnsfVLRMsgVE+Af2uhANqSONCly0WWJID+q0gIqnDYQ/ETclGDeDcMU7J9/fUG euPoQtNRJKRWG/J0sqEWFjPtahDyq9slO5qn55rcYdOR2ZGHTkqvLVFwSOSivCmT 1QIDAQAB -----END PUBLIC KEY-----
If the signature of the JWT is valid then you know that the webhook is not alterd and that Hips is the sender of the webhook.
To prevent from replay attacks, the JWT is signed with an expiration time. If you decode the JWT after too long time from it was originally created, you may get an expiration error. In that case you should not trust the JWT, and instead call the GET API corresponding to the web hook to get the latest accurate data.