Verify notification deliveries
Eyer notification deliveries can be verified in two independent ways. You can use either one or both:
- compare the
X-Notification-Tokenheader with the environment token returned by the Notifications API - verify the
X-Signatureheader against the raw request body using the environment RSA public key
You can obtain the verification values from endpoint:
GET /v1/notifications/subscriptions
That response includes:
configuration.xNotificationTokenconfiguration.rsaKey.public
The notification token and RSA public key are provided after the first notification subscription is created for an environment.
Option 1: Verify the notification token
Each outbound notification request includes the header:
X-Notification-Token: <token>
To verify the request, compare that value to the xNotificationToken stored for your environment.
This is the simplest verification option when you only need to confirm that the request came from the configured Eyer environment.
Option 2: Verify the RSA signature
Each outbound notification request includes:
X-Signature: <base64-signature>
The signature is generated with RSA-SHA256 over the exact JSON request body string sent to your endpoint.
To verify it:
- read the raw request body exactly as received
- read the
X-Signatureheader value - load the
rsaKey.publicvalue for your environment - verify the signature using
RSA-SHA256
Verify X-Signature against the exact raw HTTP request body as it was received on the wire.
Do not parse and re-serialize the JSON before verification. Even small formatting changes can invalidate the signature.
In practice, your receiver should:
- preserve the raw request body before JSON parsing
- read the
X-Signatureheader - verify the signature against that raw body using
RSA-SHA256andrsaKey.public - parse the JSON only after verification, or from the preserved raw body
If your framework parses JSON automatically, make sure you also enable access to the unmodified raw body.