System security enhancement: callback signature

System security enhancement: callback signature

1 year, 7 months ago

Our team has released an update for the system that will enhance security by providing a signature of the sent callback, so you can verify that all the information was sent from our system and not spoofed in any way.

From now on, the callbacks will be sent with an extra header, x-ca-signature, which is a base64-encoded 1024-bit RSA-SHA256 signature of the callback. The data signed depends on what type of callback you're receiving: if it's sent via GET then the full request URL to your system (including all GET parameters) are signed, if it's sent via POST then the entire body of the request is signed.

The public key for the verification can be retrieved from this endpoint:

This new signature and how to verify it is explained in detail, with code samples, on this article.


This is not a breaking change, and if you don't need to verify the sent callback, you will not need to change anything on your implementation. Everything should continue to work as intended, this improvement just provides another layer of trust and security to the data sent via the callbacks.

We hope you enjoy it, and, as always, if you have any doubts or suggestions, please feel free to contact us anytime!