Learn how to secure your webhooks.
Signature
header on each webhook request we make to your server. The signature is made up of the following 2 components, which are then encrypted with an Orum-managed private key:
created_at
timestamp in the request body
created_at
). We utilize a standardized signing library with PKCS1 v1.5 padding, the signature is base64 encoded.
Using the public key that is returned to by making a GET request to the webhooks/secret
endpoint, you can verify the message has not been altered and that it is in fact coming from Orum.
Initialize your public key
webhooks/secret
endpoint.Retrieve your public key
webhooks/secret
endpoint.Recreate the unencrypted plaintext digital signature
created_at
field in the request body
Decrypt the digital signature with your public key
webhooks/secret
endpointVerify that the decrypted digital signature from Orum and your recreated unencrypted plaintext digital signature match