Webhook Configuration
- Merchant should expose an HTTPS endpoint that is publicly accessible on the internet.
- Merchant should validate incoming requests using the Authorization token present in the request header.
JWT Authorization Token
- The Authorization token utilized is a JWT token. The public key necessary for token validation will be furnished during Merchant onboarding by the CCG team.
- ES256 (Elliptic Curve Cryptography with 256-bit hashing) algorithm will be employed to sign the JWT tokens.
The JWT token should be validated for
- Expiry
- Signature
OAuth Integration
- OAuth provides a standardized protocol for secure, delegated access to resources on behalf of a user. To enhance security and authentication, OAuth can be integrated into the webhook configuration process. This ensures secure access and authorization for interactions between systems.
- Merchant can consume webhook events via Stargate gateway.
- Webhook consumer are required to register with HCP and share their client credentials with CCG. Subsequently, CCG will issue a token based on these credentials for secure communication.
Header
Authorization:Bearer <token>