Edit in GitHubLog an issue

Signature Verification for Events

Your webhook URL must be accessible from the open internet, however this means third-party actors can send forged requests, tricking your application into handling fake events.

To prevent this from happening, Adobe I/O Events has a resilient and secure event validation process in place as defined below that allows users to secure their webhook.

Digital Signatures for Security Verification#

Adobe I/O Events does below security validations for each event delivered to your webhook.

  • Adobe I/O Events sends an additional field of recipient_client_id as part of your event payload.
  • The event payload is signed digitally using a fixed public/private key pair generated by Adobe I/O Events. The digital signature is sent as a webhook request header.
  • Adobe I/O Events sends the relative path of public key, which is served from our fixed Adobe domain static.adobeioevents.com, as webhook request headers.

I/O Events sends 2 digital signatures as webhook request headers and they are available via the header fields x-adobe-digital-signature-1 and x-adobe-digital-signature-2 respectively.

I/O Events also sends relative paths of 2 public keys corresponding to the private keys used to generate the digital signatures. These public keys are publicly accessible using our Adobe domain static.adobeioevents.com and the webhook request header fields x-adobe-public-key1-path and x-adobe-public-key2-path respectively. The SDK fetches the public keys using the Adobe domain and their respective relative paths.

Verifying the Signature#

Once the SDK has the public keys fetched as plain text, it verifies the digital signatures by following the steps as below

  • decrypt the message digest using the public key
  • compute the hash message digest of the event payload (available in the webhook request body) using the same hash function algorithm rsa-sha256 used by I/O Events during signing
  • validate each signature by comparing
    • the message digest computed by hashing
    • and the digest received after decrypting the signature using the public key
  • verify if any one of the signatures validation is successful, then the event can be considered valid.

Below SDK method allows you to pass the received digital signature headers, relative paths of public keys and the JSON payload delivered to the webhook to check its authenticity. The JSON payload contains the recipient-client-id which will be matched against your own webhook registration client id passed to this SDK method. The method returns true if any one of the digital signature validation is successful, otherwise it returns false.

This SDK api can be used in any digital signature verification implementation for your consumer app to verify the authenticity of events coming from Adobe I/O Events.


Copied to your clipboard
verifyDigitalSignatureForEvent(event, recipientClientId, [signatureOptions]) ⇒ boolean
Copied to your clipboard
JSON payload delivered to the registered webhook URL
Copied to your clipboard
Target recipient client id retrieved from the Adobe I/O Console integration
Copied to your clipboard
Map of digital signature header fields defined in SignatureOptions

SignatureOptions : object#


Copied to your clipboard
Value of digital signature retrieved from the x-adobe-digital-signature1 header
Copied to your clipboard
Value of digital signature retrieved from the x-adobe-digital-signature2 header
Copied to your clipboard
Relative path of ioevents public key retrieved from the x-adobe-public-key1-path header
Copied to your clipboard
Relative path of ioevents public key retrieved from the x-adobe-public-key2-path header

Sample Headers#

Headers received as part of POST to webhook URL:

Copied to your clipboard
1Request URL: <webhook_url>
2Request method: POST
3Content-Type: application/json; charset=utf-8
4accept-encoding: deflate,compress,identity
5user-agent: Adobe/1.0
6x-adobe-delivery-id: <id>
7x-adobe-event-code: <event_code>
8x-adobe-event-id: <event_id>
9x-adobe-provider: <provider_name>
10x-adobe-signature: <signature>
11x-adobe-digital-signature-1: <digital_signature_1>
12x-adobe-digital-signature-2: <digital_signature_2>
13x-adobe-public-key1-path: <public_key1_relative_path>
14x-adobe-public-key2-path: <public_key2_relative_path>


If signature is valid, returns true otherwise returns false.

  • Privacy
  • Terms of Use
  • Do not sell my personal information
  • AdChoices
Copyright © 2022 Adobe. All rights reserved.