Receiving Webhooks
Webhook signing uses a symmetric key encryption strategy, that is, both QI DTVM and the integrating partner share the same key. When we configure Webhooks, we will generate a Signature Key and make it available. Every request originated in the QI system, will carry a SIGNATURE header that will be a JWT signed with this key. The encoding is performed with the HS256 algorithm.
Below we have a python example of how to perform signature decoding:
from jose import jwt
signature_key = "UNIQUE CONFIGURED KEY"
signature_token = headers["SIGNATURE"]
decoded_token = jwt.decode(signature_token, key=signature_key, algorithms=["HS256"])
print(decoded_token)
We suggest that, in addition to comparing the signature, the integrating partner validates our IP, given that all our requests originate from the same IP, according to the environment:
| Environment | IP |
|---|---|
| Production | - |
| Sandbox | - |
QI DTVM webhooks should not be mapped restrictively. Additional fields may be included in the webhook payloads returned in our APIs.