Validating Router Signature

On every router request, it includes a signature signed with Json Web Tokens (JWT). This signature is a way you can validate, in addition to the key, that the request truly came from the event router.

The JWT uses a RSA 2048 bit private key, which can be validated by the public key found at https://router.ubsub.io/docs/cert.

On the HTTP call it is on the header X-Router-Signature.

The token will have the following attributes (per the JWT spec):

  • iat Token generation time
  • exp Expiration of 60 seconds in the future
  • iss Will always be router.ubsub.io
  • sub Will be the user id
  • aud Will be the the target hostname
  • hash A custom field that will be the base64 sha256 of the event

Example:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJoYXNoIjoiUkJ
Odm8xV3paNG9SUnEwVzkraGtucFQ3VDhJZjUzNkRFTUJnOWh5cS8
0bz0iLCJpYXQiOjE1NTg4MjQ5NTQsImV4cCI6MTU1ODgyNDk4NCw
iYXVkIjoid2ViaG9vay5zaXRlIiwiaXNzIjoicm91dGVyLnVic3V
iLmlvIiwic3ViIjoiU0pfTXpCX0lYIn0.IKP_4LLE3uvUJ8GjX4T
HjzVRnUGucHEa_5wUXX2dg0ls8wtvrPIxZojrfp6a38OP6CH2nww
AgXDtlzj3NYUdpDfiG-Wlvan4mUQIVB4sMSvg_VKr3_fKJ_idO_8
BHMXuW9oELttH5dXbyiAKAdJ3fVhRN2p0icoI6IIEpXrszk9ZxPF
G4eTdv8ODCOXBemZS3MxcHZyuFtP0Ms94GQYEk0aIn-x3xyA4Ry4
XJUwb-dpl1zPW-aS2phJkTtnHFD8JjBmS-mol6x7VIzsOgxjD5IW
3Rn0TK1iGydV1jULrEUmKYRwedsenWTOj9myMydjFbAMN2xLZwC-
Lyr0xW432lQ

Which parses to:

// Header
{
  "alg": "RS256",
  "typ": "JWT"
}

// Body
{
  "hash": "RBNvo1WzZ4oRRq0W9+hknpT7T8If536DEMBg9hyq/4o=",
  "iat": 1558824954,
  "exp": 1558824984,
  "aud": "webhook.site",
  "iss": "router.ubsub.io",
  "sub": "SJ_MzB_IX"
}