By leveraging webhooks, you can automate processes, synchronize data, and trigger actions in external systems based on events happening within your app. This opens up endless possibilities for seamless integration and enhanced functionality.

Setup

To set up your webhooks, follow these steps:

1. Navigate to the App Management page in your Starion dashboard.

2. Click on the "Webhooks" section.

3. Here, you can configure and manage your webhooks, including setting up endpoints, defining events to trigger webhooks, and specifying the data format for webhook payloads.

Verify

To verify the authenticity and integrity of the webhook requests coming from Starion, you need to follow these steps:

Retrieve the Public Key:

• Make a GET request to the following URL: https://secret.starion.io/v1/metadata/x509/webhooktoken

• This will provide you with the public key needed for verification.

Extract the signature:

1. In the webhook request, locate the value of the X-Starion-Signature header. This header contains the signature of the webhook payload.

2. Retrieve the message data: Get the complete payload of the webhook request, including all relevant headers and body.

Verify the signature:

Verify using RSA-PSS (RSA Probabilistic Signature Scheme) encryption method for verifying the signature of the webhook request.

// Install required packages: `npm install crypto`
const crypto = require('crypto');

function verifyMessage(publicKey, signature, message) {
    const verifier = crypto.createVerify('RSA-SHA256');
    verifier.update(message);
    return verifier.verify(publicKey, signature, 'base64');
}

// Usage:
const publicKey = '...'; // Retrieve the public key
const signature = '...'; // Get the signature from the X-Starion-Signature header
const message = '...'; // Get the message content
const isVerified = verifyMessage(publicKey, signature, message);

import (
	"crypto"
	"crypto/rand"
	"crypto/rsa"
	"crypto/sha256"
	"crypto/x509"
	"encoding/base64"
	"encoding/pem"
	"fmt"
)

func verifyMessage(publicKeyPEM, signature, message string) (bool, error) {
	// Parse the public key
	block, _ := pem.Decode([]byte(publicKeyPEM))
	publicKey, err := x509.ParsePKIXPublicKey(block.Bytes)
	if err != nil {
		return false, err
	}

	// Verify the signature
	hashed := sha256.Sum256([]byte(message))
	signatureBytes, _ := base64.StdEncoding.DecodeString(signature)
	err = rsa.VerifyPKCS1v15(publicKey.(*rsa.PublicKey), crypto.SHA256, hashed[:], signatureBytes)
	if err != nil {
		return false, err
	}

	return true, nil
}

// Usage:
publicKeyPEM := `...` // Retrieve the public key
signature := `...` // Get the signature from the X-Starion-Signature header
message := `...` // Get the message content
isVerified, err := verifyMessage(publicKeyPEM, signature, message)

function verifyMessage($publicKeyPEM, $signature, $message) {
    $publicKey = openssl_pkey_get_public($publicKeyPEM);
    $result = openssl_verify($message, base64_decode($signature), $publicKey, OPENSSL_ALGO_SHA256);
    openssl_free_key($publicKey);
    return $result === 1;
}

// Usage:
$publicKeyPEM = '...'; // Retrieve the public key
$signature = '...'; // Get the signature from the X-Starion-Signature header
$message = '...'; // Get the message content
$isVerified = verifyMessage($publicKeyPEM, $signature, $message);

Please note that the examples provided above assume you have the necessary dependencies installed and have retrieved the public key and signature from the webhook request as mentioned.

Remember to replace the placeholder values (...) with the actual values specific to your implementation.

By following the appropriate verification method in your preferred programming language, you can ensure the authenticity and integrity of webhook requests from Starion.