> ## Documentation Index
> Fetch the complete documentation index at: https://waffo.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Webhook - signature verification

> RSA signature verification method and code examples for Webhook requests.

Each Webhook request header includes `X-SIGNATURE`, which is signed using the Waffo private key. Merchants must use the Waffo public key to verify the signature.

## Get the Waffo public key

Log in to **Merchant Portal** → **Integration** menu to view and copy the Waffo public key.

<Note>
  **Dev** or **Admin** role permissions are required to access this page.
</Note>

## Recommended approach: use the SDK

The SDK’s `handleWebhook()` method automatically performs signature verification, event parsing, routing, and response signing:

<CodeGroup>
  ```typescript Node.js theme={null}
  app.post('/webhook', express.raw({ type: 'application/json' }), async (req, res) => {
    const body = req.body.toString();
    const signature = req.headers['x-signature'] as string;

    const result = await waffo.webhook().handleWebhook(body, signature);

    res.setHeader('X-SIGNATURE', result.responseSignature);
    res.setHeader('Content-Type', 'application/json');
    res.status(200).send(result.responseBody);
  });
  ```

  ```go Go theme={null}
  func webhookHandler(w http.ResponseWriter, r *http.Request) {
      body, _ := io.ReadAll(r.Body)
      signature := r.Header.Get("X-SIGNATURE")

      result := handler.HandleWebhook(string(body), signature)

      w.Header().Set("X-SIGNATURE", result.ResponseSignature)
      w.Header().Set("Content-Type", "application/json")
      w.WriteHeader(200)
      w.Write([]byte(result.ResponseBody))
  }
  ```
</CodeGroup>

## Manual verification

If you need to handle this manually (without the SDK), the verification steps are:

<Steps>
  <Step title="Get the signature">
    Get `X-SIGNATURE` from the request header.
  </Step>

  <Step title="Get the raw body">
    Get the raw request body string (do not JSON parse and then stringify).
  </Step>

  <Step title="Verify the signature">
    Use the Waffo public key + SHA256WithRSA to verify the signature.
  </Step>

  <Step title="Process the event">
    Process the event after the signature verification passes.
  </Step>

  <Step title="Sign the response">
    You must set the `X-SIGNATURE` header in the response (sign the response body with the merchant private key).
  </Step>
</Steps>

### Manual examples

<CodeGroup>
  ```typescript Node.js theme={null}
  import { createVerify, createSign } from 'crypto';

  function verifyWaffoSignature(body: string, signature: string): boolean {
    const verify = createVerify('SHA256');
    verify.update(body);
    return verify.verify(process.env.WAFFO_PUBLIC_KEY!, signature, 'base64');
  }

  function signResponse(responseBody: string): string {
    const sign = createSign('SHA256');
    sign.update(responseBody);
    return sign.sign(process.env.MERCHANT_PRIVATE_KEY!, 'base64');
  }

  app.post('/webhook', express.raw({ type: 'application/json' }), (req, res) => {
    const body = req.body.toString();
    const signature = req.headers['x-signature'] as string;

    if (!verifyWaffoSignature(body, signature)) {
      const failedBody = JSON.stringify({ message: 'failed' });
      res.setHeader('X-SIGNATURE', signResponse(failedBody));
      return res.status(200).send(failedBody);
    }

    // Process the event...

    const successBody = JSON.stringify({ message: 'success' });
    res.setHeader('X-SIGNATURE', signResponse(successBody));
    res.status(200).send(successBody);
  });
  ```

  ```go Go theme={null}
  import (
      "crypto"
      "crypto/rand"
      "crypto/rsa"
      "crypto/sha256"
      "crypto/x509"
      "encoding/base64"
      "encoding/pem"
      "encoding/json"
      "io"
      "net/http"
      "os"
  )

  // Verify the Waffo signature
  func verifyWaffoSignature(body string, signature string) bool {
      pubKeyPEM := []byte(os.Getenv("WAFFO_PUBLIC_KEY"))
      block, _ := pem.Decode(pubKeyPEM)
      pubKey, _ := x509.ParsePKIXPublicKey(block.Bytes)

      sig, _ := base64.StdEncoding.DecodeString(signature)
      hash := sha256.Sum256([]byte(body))
      err := rsa.VerifyPKCS1v15(pubKey.(*rsa.PublicKey), crypto.SHA256, hash[:], sig)
      return err == nil
  }

  // Sign the merchant response
  func signResponse(responseBody string) string {
      privKeyPEM := []byte(os.Getenv("MERCHANT_PRIVATE_KEY"))
      block, _ := pem.Decode(privKeyPEM)
      privKey, _ := x509.ParsePKCS1PrivateKey(block.Bytes)

      hash := sha256.Sum256([]byte(responseBody))
      sig, _ := rsa.SignPKCS1v15(rand.Reader, privKey, crypto.SHA256, hash[:])
      return base64.StdEncoding.EncodeToString(sig)
  }

  func webhookHandler(w http.ResponseWriter, r *http.Request) {
      body, _ := io.ReadAll(r.Body)
      signature := r.Header.Get("X-SIGNATURE")

      if !verifyWaffoSignature(string(body), signature) {
          failedBody, _ := json.Marshal(map[string]string{"message": "failed"})
          w.Header().Set("X-SIGNATURE", signResponse(string(failedBody)))
          w.Header().Set("Content-Type", "application/json")
          w.WriteHeader(200)
          w.Write(failedBody)
          return
      }

      // Process the event...

      successBody, _ := json.Marshal(map[string]string{"message": "success"})
      w.Header().Set("X-SIGNATURE", signResponse(string(successBody)))
      w.Header().Set("Content-Type", "application/json")
      w.WriteHeader(200)
      w.Write(successBody)
  }
  ```
</CodeGroup>

## Notes

<Warning>
  * **You must verify the signature before processing the event**. Do not respond first and then verify.
  * **The response must include the `X-SIGNATURE` header**, otherwise Waffo will treat the delivery as failed.
  * Verify the signature using the raw request body; do not JSON parse and then stringify.
  * The SDK provides a complete webhook handling pipeline. Using the SDK is recommended over manual handling.
</Warning>