Skip to main content
Security is critical when dealing with automated event notifications.

Digital Signature Verification

All webhook requests include a digital signature using the ED25519 algorithm. The signature is provided in the following HTTP header: 
X-Partoo-Signature-v1: BASE64_SIGNATURE
To verify:
  1. Base64 decode the signature
  2. Recalculate the hash of the payload
  3. Use our public key to validate the signature
Use separate keys for production and sandbox environments.
Use different public keys depending on the environment: 
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEA0G9ciHL6XZQXuWq6W4dFLvwNEPWgcdtQgEVlBIwZWBQ=
-----END PUBLIC KEY-----

-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEALsyvX2yVnG3ZKRIFfEvYk2nkzanoNgAqBSqdeNub4sM=
-----END PUBLIC KEY-----

Shared Secret in URL

You may include a shared secret in your webhook URL: Examples: 
https://my.integration.io/webhooks/partoo/9fa91de19/business_update
https://my.integration.io/webhooks/partoo/business_update?key=9fa91de19