Skip to main content
Payloads are signed using asymmetric (public-key) cryptography to guarantee the authenticity of delivered callbacks. Each callback delivery request includes an X-Signature header field. This field contains a base64-encoded RSA PKCS#1 v1.5 signature of the SHA-256 digest of the request body buffer. You can obtain the public key for Webhook authentication from Webhook.public_key of the corresponding Webhook. You can obtain the public key for success callback authentication from GET /public_key/. Please note that CHIP is not responsible for any financial losses incurred as a result of failing to implement payload signature verification.

How to verify

The verification process is:
  1. Read the raw request body (before JSON parsing). The signature is computed over the bytes as received.
  2. Decode the X-Signature header from base64.
  3. Verify it against the request body using the public key with RSA PKCS#1 v1.5 padding and a SHA-256 digest.
  4. Reject the request if verification fails.
Always verify the raw request body. Re-serializing the parsed JSON will change byte ordering or whitespace and break the signature.

Example (Node.js)

Example (PHP)

Example (Python)