Webhook signatures need to be verified in order to guarantee that the webhook was sent from our system and was not tampered with via a man in the middle attack.

Public Key

Upon configuring a webhook, a cryptographic public key is generated for verifying the webhook message signatures. This verification process assures the authencity and integrity of the webhook message.

Validate Webhook Message

1

Retrieve Public Key

That key can be retrieved by making a GET request to /webhooks/key

  curl --request GET \
    --url https://api.pipevest.com/v1/webhooks/key \
    --header 'Authorization: Bearer 123456' \
    --header 'Signature: sig1=:OTEyMjY4...A5NTNDMEQ=:' \
    --header 'Signature-Input: sig1=("Content-Type" "Content-Digest" "Content-Length" "Authorization" "X-Client-Id" "X-Idempotency-Key" "@method" "@target-uri" "@path" "@query");keyid="staging-pipevest-ed25519";created=1732893484;expires=1732893584' \
    --header 'X-Client-Id: 123456' \
2

Verify Content Digest

3

Verify HTTP Message Signature

If you are unable to verify either to content digest or the HTTP message signature, you should discard the webhook message