Validating Webhooks

HIPS are signing webhooks with JWT (JSON Web Token) with method RS256. Read more about JWT and download JWY libraries at

The JWT Payload is posted in each webhook in the body json under the key jwt. Decode the jwt with a JWT library and make sure you specify algorithm RS256 when you validate the jwt.

Use HIPS Public RSA key to validate the JWT.

If you are validating Hips webhooks with JWT you should only trust the data within the JWT, and only if the JWT signature is verified.

-----END PUBLIC KEY-----


If the signature of the JWT is valid then you know that the webhook is not alterd and that Hips is the sender of the webhook.


To prevent from replay attacks, the JWT is signed with an expiration time. If you decode the JWT after too long time from it was originally created, you may get an expiration error. In that case you should not trust the JWT, and instead call the GET API corresponding to the web hook to get the latest accurate data.