Validating Router Signature

On every router request, it includes a signature signed with Json Web Tokens (JWT). This signature is a way you can validate, in addition to the key, that the request truly came from the event router.

The JWT uses a RSA 2048 bit private key, which can be validated by the public key found at https://router.ubsub.io/docs/cert.

On the HTTP call it is on the header X-Router-Signature.

The token will have the following attributes (per the JWT spec):

  • iat Token generation time
  • exp Expiration of 60 seconds in the future
  • iss Will always be router.ubsub.io
  • sub Will be the user id
  • aud Will be the the target hostname
  • hash A custom field that will be the base64 sha256 of the event

Example:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJoYXNoIjoiUkJ
Odm8xV3paNG9SUnEwVzkraGtucFQ3VDhJZjUzNkRFTUJnOWh5cS8
0bz0iLCJpYXQiOjE0OTk1NzQwMDgsImV4cCI6MTQ5OTU3NDAzOCw
iYXVkIjoiQkplRXdMV0pTYiIsImlzcyI6IlViU3ViIiwic3ViIjo
iSGtXUEwta1NXIn0.if3ADLg78dxUNyoXvPFmcZWE6JPlDSdtjez
U0RZbVrCtIIbLTeL5SAO_IN6DflOBRdifkuRAwetZKxcXCJNJWy1
-bQjhgx689PKkdlve45ZbTYic4Q9_szg3B1iQ_PpngTXOa56WDc7
_gNMVUmt00pzfr8caRTTQP6EpdEtGz58