Signed callbacks and redirects

Signed callbacks and redirects (Ed25519)

Pliant now cryptographically signs both callbacks (webhooks) and partner authorization redirects using Ed25519, enabling partners to verify authenticity and protect against tampering and replay attacks.

Callback authenticity

• All callbacks include the standardized headers webhook-id, webhook-timestamp, and webhook-signature
• Signatures follow the Standard Webhooks Signature Scheme
• The signature is calculated over
  <webhook-id>.<webhook-timestamp>.<raw HTTP payload>
• Each payment program has its own signing key
• Public keys are available via /api/partner-management/signing/jwks.json
• Partners can cache keys long-term; key rotations will be announced in advance

📘 Full implementation details and verification examples are available here: Callback authenticity

Redirect signing (partner authorization flow)

• Redirects from Pliant to partner apps are now signed
• The signature covers
  <t>.<partnerId>.<organizationId>
• A timestamp (t) is included to mitigate replay attacks
• Partners should validate timestamp tolerance and verify the signature using the program’s public key
• Ensures redirects originate from Pliant and parameters were not modified

📘 Full implementation details and verification examples are available here: Integration initiated from Pliant (Signed redirects)