Clients should use HTTPS for their External Trans API webhook to ensure fundamental security is in place.
The client's product can be configured so that Galileo will use a JSON Web Token (JWT) for authenticating with the client's webhook. (While it is optional, it is strongly encouraged that clients configure their product to use JWT.) A shared secret will be used for encoding and decoding the token. The payload will have the following claims:
iat
- Issued Atexp
- Expiration TImeiss
- "galileo"
The token will be created using the following Python code:
import jwt
from datetime import datetime, timedelta
payload = {
'exp': datetime.utcnow() + timedelta(seconds=5),
'iat': datetime.utcnow(),
'iss': 'galileo'
}
token = jwt.encode(payload, secret, algorithm='HS256')
where secret
is the shared secret.
The token will be placed in the body of the request, in the jwt
property. (This will likely change in a future release.)
Security Example
Here is the value for exp = 1534274886
and iat = 1534274881
that would appear in the request body:
{
...
"jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnYWxpbGVvIiwiaWF0IjoxNTM0Mjc0ODgxLCJleHAiOjE1MzQyNzQ4ODZ9.1xUk4iNFGWLo01MyJUHXRlyrNlzwPvDMSXpN38TrblU"
}