What security is there built around the callback url that POYNT posts to once a request is completed? How would I know that this is actually POYNT putting this callback into the URL vs some other entity? Without some sort of auth or security, it seems I would not be able to just trust the payloads that arrive on the callback url that is supplied. I looked at the example post for dev requests and saw nothing security wise there…
Hi there,
When you register a webhook, you provide a secret. That secret is then used to sign the whole JSON object (Base64 SHA1 HMAC), which you can validate against the header Poynt-Webhook-Signature. See webhook docs for more info and an example on providing secret and validating using OpenSSL on the CLI.
Thanks,
Neil
1 Like