Skip to content

Commit

Permalink
Update webhooks doc to include jwks endpoint (#1694)
Browse files Browse the repository at this point in the history
  • Loading branch information
gunndabad authored Nov 21, 2024
1 parent 93726c2 commit 1b8e3f1
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 8 deletions.
10 changes: 5 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,12 +52,12 @@ See the [changelog](CHANGELOG.md) for the details of what has changed between ve

## Environments

| Name | URL |
| -------------- | ----------------------------------------------------------- |
| Production | https://teacher-qualifications-api.education.gov.uk |
| Name | API URL |
| --- | --- |
| Production | https://teacher-qualifications-api.education.gov.uk |
| Pre-production | https://preprod.teacher-qualifications-api.education.gov.uk |
| Test | https://test.teacher-qualifications-api.education.gov.uk/ |
| Development | https://dev.teacher-qualifications-api.education.gov.uk/ |
| Test | https://test.teacher-qualifications-api.education.gov.uk/ |
| Development | https://dev.teacher-qualifications-api.education.gov.uk/ |


## Developer setup
Expand Down
13 changes: 10 additions & 3 deletions docs/api-designs/webhooks.md
Original file line number Diff line number Diff line change
Expand Up @@ -66,10 +66,17 @@ If after the final retry the message was still not delivered successfully no fur

## Verifying the webhook

Follow [the spec](https://www.rfc-editor.org/rfc/rfc9421.html#name-verifying-a-signature) for verifying the webhook's signature.
You will be given a public key to use for verifying webhooks when your endpoint is configured.
See [the spec](https://www.rfc-editor.org/rfc/rfc9421.html#name-verifying-a-signature) for the details of how to verify the webhook's signature.

The `ping` message can be used to aid verification.
Signatures are made up of `content-digest`, `content-length`, `ce-id`, `ce-type`, and `ce-time` HTTP header components and the `target-uri` derived component.

Each environment publishes the certificates to use for verification at `/webhook-jwks` (see [README.md](../../README.md#Environments) for the environment-specific base URL).
Each HTTP message signature contains the ID of the key that was used to sign the request.
Find the corresponding keys in the `/webhook-jwks` (identified by the `kid` parameter) and use this to verify the signature.

Note that certificates are rotated from time-to-time so these should not be hard-coded anywhere or cached for too long.

The `ping` message can be used during development to help with testing verification.


## Message types
Expand Down

0 comments on commit 1b8e3f1

Please sign in to comment.