Security is critical when dealing with automated event notifications.
Digital Signature Verification
All webhook requests include a digital signature using the ED25519 algorithm. The signature is provided in the following HTTP header:
X-Partoo-Signature-v1: BASE64_SIGNATURE
- Base64 decode the signature
- Recalculate the hash of the payload
- Use our public key to validate the signature
Use separate keys for production and sandbox environments.
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEA0G9ciHL6XZQXuWq6W4dFLvwNEPWgcdtQgEVlBIwZWBQ=
-----END PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEALsyvX2yVnG3ZKRIFfEvYk2nkzanoNgAqBSqdeNub4sM=
-----END PUBLIC KEY-----
Shared Secret in URL
You may include a shared secret in your webhook URL:
Examples:
https://my.integration.io/webhooks/partoo/9fa91de19/business_update
https://my.integration.io/webhooks/partoo/business_update?key=9fa91de19
