How to validate a webhook
Example of how to validate a webhook message we send to notify platform events to your systems.
When receiving a webhook notification from Fabank, there will be a field called signature in the request header, which will contain a base64 hash that, using Fabank's public key, will allow you to validate Fabank as the issuer of this call.
Library
To assist your development, you have libraries that facilitate this ecdsa verification, available at Git
Example of use
$signature = $request->header('signature');
$envPK = env('fabank_public');// get from url: url_api_fabank/api/v1/public-key
$signature2 = \EllipticCurve\Signature::fromBase64($signature);
$publickey = EllipticCurve\PublicKey::fromPem($envPK);
$verify = EllipticCurve\Ecdsa::verify($message, $signature2, $publickey);
Updated 9 months ago