WingNews logo WingNews
top | item 33896115

(no title)

devingoldfish | 3 years ago

> You should validate that the request is signed correctly

I agree with you here, but wondering what you see the benefit of per-app PKI is, versus signing all webhooks with the same cert. Is it to prevent having to do a key rotation that would impact every webhook consumer?

discuss

order

subomi|3 years ago

If you specify one public key for all endpoints, It means all consumers can verify each other’s webhook data which is not what you want. You want each consumer to be able to verify only webhooks intended for them and fail otherwise.

We wrote a detailed guide on generating and rolling public key/secrets for your endpoints here [1]

[1] https://getconvoy.io/blog/generating-stripe-like-webhook-sig...