Webhook signatures need to be verified in order to guarantee that the webhook was sent from our system and was not tampered with via a man in the middle attack.

Public Key

Upon configuring a webhook, a cryptographic public key is generated for verifying the webhook message signatures. This verification process assures the authencity and integrity of the webhook message.

Validate Webhook Message

1

Retrieve Public Key

That key can be retrieved by making a GET request to /webhooks/key
  curl --request GET \
    --url https://api.pipevest.com/v1/webhooks/key \
    --header 'Authorization: Bearer 123456' \
    --header 'Signature: sig1=:OTEyMjY4...A5NTNDMEQ=:' \
    --header 'Signature-Input: sig1=("Content-Type" "Content-Digest" "Content-Length" "Authorization" "X-Client-Id" "X-Idempotency-Key" "@method" "@target-uri" "@path" "@query");keyid="staging-pipevest-ed25519";created=1732893484;expires=1732893584' \
    --header 'X-Client-Id: 123456' \
2

Verify Content Digest

Content Digest

Learn more about content digest
3

Verify HTTP Message Signature

Message Signature

Learn more about message signatures
If you are unable to verify either to content digest or the HTTP message signature, you should discard the webhook message