HIPS are signing webhooks with JWT (JSON Web Token) with method RS256. Read more about JWT and download JWY libraries at jwt.io.
The JWT Payload is posted in each webhook in the body json under the key jwt
. Decode the jwt
with a JWT library and make sure you specify algorithm RS256
when you validate the jwt
.
Use HIPS Public RSA key to validate the JWT.
If you are validating Hips webhooks with JWT you should only trust the data within the JWT, and only if the JWT signature is verified.
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu269xcyVkOZLP93D82g8
vsLgLMDIfc853syoQ6gu0K3kwMcSru9iNhj4CWEWp4t7ozDd3o+t6Y6scZtLnSrM
ZhoUkdiOIK7hqF6e9tS+vT8vFOkrmsGysQJbY2IBaX4WknOsQEjARw04S37g6XUB
ERXlC0VwUXrUZVsNCYrE0sa0OvZ/IxHLJrt+fpTOUFrcYowe6Ha7sZEz2ju1x8nq
foEnsfVLRMsgVE+Af2uhANqSONCly0WWJID+q0gIqnDYQ/ETclGDeDcMU7J9/fUG
euPoQtNRJKRWG/J0sqEWFjPtahDyq9slO5qn55rcYdOR2ZGHTkqvLVFwSOSivCmT
1QIDAQAB
-----END PUBLIC KEY-----
If the signature of the JWT is valid then you know that the webhook is not alterd and that Hips is the sender of the webhook.
To prevent from replay attacks, the JWT is signed with an expiration time. If you decode the JWT after too long time from it was originally created, you may get an expiration error. In that case you should not trust the JWT, and instead call the GET API corresponding to the web hook to get the latest accurate data.