Verifying Webhook Signatures

Swagger UI: POST /gateway/api/webhooks/v1/signature/verify

To ensure webhook endpoints are triggered by our service and not by an attacker, we employ a data signature mechanism.

You could verify webhook signature via asymmetric key pairs by retrieving public key from Kaminari and create verification logic on your side, or use endpoint for verification.

Curl example:

curl --location --request POST 'https://api.kaminari.cloud/gateway/api/bitcoin/v1/payment/send' \
--header 'Content-Type: application/json' \
--header 'X-kaminari-api-key: <API_KEY>' \
--header 'X-kaminari-api-signature: <API_SIGNATURE>' \
--data-raw '{
    "signature": "8822c5e52859e6850381749975b8eacb3b980c8a6b668abbc89a9a7117a0754e3f7778d97cc1e83375686b041c4a1f0dd8b901265f983ec9e56f1a38c53450fe01",
    "event": "ewoJIlR5cGUiOiAiRVZFTlRfVFlQRV9MSUdIVE5JTkdfSU5WT0lDRV9JU19QQUlEIiwKCSJsaWdodG5pbmdfaW52b2ljZV9pc19wYWlkIjogewoJCSJpZCI6ICJ0ZXN0X2lkIgoJfQp9",
    "nonce" : "1699926593"
}'

To check the correctness of the signature, you need to encode the event in base64 bytes, as an example, you can use the online service.

Response:

{
	"isValid":true
}

PreviousWebhook Registration NextLNURL

Last updated 1 year ago