Security

Clients should use HTTPS for their External Trans API webhook to ensure fundamental security is in place.

The client's product can be configured so that Galileo will use a JSON Web Token (JWT) for authenticating with the client's webhook. (While it is optional, it is strongly encouraged that clients configure their product to use JWT.) A shared secret will be used for encoding and decoding the token. The payload will have the following claims:

  • iat - Issued At
  • exp - Expiration TIme
  • iss - "galileo"

The token will be created using the following Python code:

import jwt
from datetime import datetime, timedelta
payload = {
    'exp': datetime.utcnow() + timedelta(seconds=5),
    'iat': datetime.utcnow(),
    'iss': 'galileo'
}
token = jwt.encode(payload, secret, algorithm='HS256')

where secret is the shared secret.

The token will be placed in the body of the request, in the jwt property. (This will likely change in a future release.)

Security Example

Here is the value for exp = 1534274886 and iat = 1534274881 that would appear in the request body:

{
    ...
    "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnYWxpbGVvIiwiaWF0IjoxNTM0Mjc0ODgxLCJleHAiOjE1MzQyNzQ4ODZ9.1xUk4iNFGWLo01MyJUHXRlyrNlzwPvDMSXpN38TrblU"
}