Securing Webhook Endpoints with JWT

When pushing notifications, the payload itself is generally secured using the following methods:

An endpoint is configured within the FrankieOne network and cannot be tampered with via the API,
only over HTTPS using secure algorithms firewall IP whitelisting for sending and receiving.

However, in some cases, we’d like to add an additional layer of security and sign our requests using JSON Web Tokens to ensure the validity of the message being pushed.

JWT - Signature and Payload.

FrankieOne’s implementation follows the standard for sending JWTs, namely:

We have a header:

    "alg": "RS256",
    "typ": "JWT"

A Body:

    "sub": "[email protected]",           // only supplied if the
                                        // notification comes from the
                                        // portal
    "iat": 1516239022,                  // UTC epoch timestamp in
                                        // seconds
    "iss": "io.frankiefinancial.kycaml" // Fixed string

And the signature, signed using an RSA-4096 bit private key - unique to each of our customers.
The matching public key will be supplied to our customers for verification.

The header and body will be individually Base64 encoded, then joined together with a fullstop “.”

The signature will be the base64 encoding of the RSA-4096 encrypted header and body.

All 3 are then concatenated together with a fullstop separator to form the JWT which will be added as a header in the HTTP POST back to the webhook.

The header will be:

Authorization: Bearer: <base64 header>.<base64 body>.<base64 RS4096(<base64 header>.<base64 body>)

JWTs can be switched on for individual Customers by prior request.

Additional fields can also be included in the body upon request and availability.