How to Verify the Callback Signature

How does the callback signature work?

BlockBee's callback signature works with public-key signature scheme, using a 1024-bit RSA SHA256 signature. It signs the entire callback sent to your service, therefore you can trust that all the data was sent from our service.

If the request is sent via GET, then the full URL (with all GET parameters) are signed. If you requested to receive the callback via POST, then the entire request body is signed.

The public key used to validate the signature can be fetched from the following endpoint: https://api.blockbee.io/pubkey/

The signature is sent via the "x-ca-signature" header of the request, and is base64-encoded.

How do I validate the callback?

Here is an example of how the data provided to the verification function must look like.

Bellow are examples on how you can achieve it based on different programming languages.

PHP

Python (Django)

Node.js

Was this article helpful?

3 out of 6 liked this article

Still need help? Message Us