Follow

Webhooks

Populi Account Admins have the ability to create webhooks by clicking their profile picture in the upper right and then navigating to Account & Settings > Account > Webhooks.

They can then click Add Webhook to subscribe to notifications from dozens of different events that occur every day in Populi - for example whenever a financial transactions is voided or a new user is created.

If you don't add any conditions you'll receive the webhook every time it's fired, but often you'll want to limit the webhooks you receive by adding multiple condition groups, each of which can be "all conditions must match" or "any condition must match".

Below conditions you'll enter the URL, any expanded properties you want added to the main response, and optionally an HTTP method other than the default GET.

But how does your web application decide if a webhook was really from Populi or not? The answer is by using the Populi-RSA-SHA256-Signature header. Populi currently signs all webhooks with the following public key using a hex encoded RSA SHA256 signature:

	
		 -----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuQ22tojiHOFGJ8lqYw0P
dGjadLYaB4cSsCbeHF9UPMGSlUYVuyAGzRpt3X5zQIqj6+GPHDCflFI9lwNFfdgJ
xisOgkuPQbySzGh/Cy8QLyeHToP5PVA+GJjX2CxE8r5OByVoyqkI9i14j/bdAeWb
PqXr+7CCkqNlEPioiTgkJai5BCJsSIUf/Mfic95pBQAw96axvwQmoDalcCjYqbjC
0jb1YMmZQ9M0jIDQin1JeaEgwxexE3wSgyG6sSOHuNV6fdHkxqHb3yeCB5DlB+85
mF4QUGPCECreAUt1+248L0vTP65U47M5b2tftIZ4I6/0pxPFzTFR6FSc5k064PrO
5F+v1NOedSxKEDjV4zU06XaEQu03zCPg/aAwyln489FwK7z+Auzph+pJT+Fjdw6q
r8IMaiMBNqVdSlPuB8jd4ZaBvPFO7mTy/2iUl+FFUMJv8QrB8vPSVmVo7FS101S+
faC0RoMbeSr6jnRL898a/F1C7ongYoffTrA1CZWqqaPxsD+sn+FdgQkv1SCLkmpG
Pqq7udV3Qq6UJcuX/l01ryVLfuoGab+1tW4vBMKAfoE4LaPA+zAm9FJPCeqTGw3k
l+CYUEyYGjnCVlKvUw/C0Geoh3xcC83lI0jIA2WgVCBfoaOtgaHTCJ10SRWKxh3J
aWVk4YMpPg+GXGfp60uAdkUCAwEAAQ==
-----END PUBLIC KEY-----

Verifying this signature depends on the language you're using, but will look something like this:

		def valid_signature_for( message, signature : String )
public_key = OpenSSL::PKey::RSA.new POPULI_PUBLIC_KEY, is_private: false
public_key.verify(OpenSSL::Digest.new("SHA256"), signature.hexbytes, message)
end
Was this article helpful?
0 out of 0 found this helpful
Submit a request

0 Comments

Article is closed for comments.