arrow-left Back to Announcements
DATE:
AUTHOR:
The Product team at Griffin
RELATED ROADMAP ITEMS:
🔏 Webhook message signing
API Security

Webhook signature validation is now available

DATE:
AUTHOR: The Product team at Griffin
RELATED ROADMAP ITEMS: 🔏 Webhook message signing

What's new?

You can now verify that webhook events are genuinely from Griffin using HTTP message signatures. This adds an extra layer of security to protect your systems from potential tampering or spoofed requests.

How does it work?

When you receive a webhook, it includes signature headers that you can verify against Griffin's public keys:

  • Signature headers: each webhook now includes signature-input and signature

  • Public keys: retrieve Griffin's public keys from our API endpoint to verify signatures

  • Key rotation: we rotate keys periodically for security, and keys that are no longer in use are removed

Implementation steps

  1. Fetch our public keys from https://api.griffin.com/v0/security/public-keys

  2. Extract signature information from the webhook headers

  3. Verify the signature using the appropriate public key

See this guide in our documentation for more detailed instructions.

Best practices

  • Cache public keys to avoid repeated API calls

  • Respond quickly to webhooks with a 2xx status code

  • Process webhook data asynchronously after verification

  • Monitor verification failures as they could indicate security issues

Learn more in the docs

Check out our detailed guide for implementation instructions and code examples.

Thanks for reading!

Ready to explore? Sign up for our sandbox to start testing.

 Read our docs

 Join our Slack community

Try our Postman collection

 Follow us on LinkedIn

Powered by LaunchNotes