Verify webhook signatures

Use our signing libraries to confirm that webhook events are sent by TrueLayer.

We strongly recommend that developers use our signing libraries to verify the Tl-Signature of received webhooks.

For example, our Java library:

Verifier.verifyWithJwks(jwks)
        .method("POST")
        .path(path)
        .headers(allWebhookHeaders)
        .body(body)
        .verify(webhookSignature);

Verify webhooks without using libraries

🚧

Manual verification

We recommend that you use our signing libraries for easier integration.

To verify webhook signatures, refer to our Github reference implementations and examples.

In particular, see this page, which describes the signing and verification scheme.