Note: This article is written for developers.
Finmo rest hooks is a great feature to hook Finmo events back into your system. But an open rest hook might expose your endpoint to the rest of the internet. To protect against bad actors, we strongly recommend you verify the signature of all incoming rest hook to guarantee the rest hook message was sent by us.
How to obtain your public key
Your public key is on the Team Settings > Integrations page under the "Resthooks" section. Copy your public key for later.
How to verify your signature
Once you set up a rest hook, you can verify the signature with the following pseudo-code
const publicKey = 'YOUR PUBLIC KEY';
const signature = req.headers['finmo-resthook-signature']
const rawBody = req.body
const isVerified = rsaSha256Verify({
key: publicKey,
padding: RSA_PKCS1_PSS_PADDING,
signature: signature,
data: body
})
Or follow the steps in order:
1. Retrieve the signature from the finmo-resthook-signature header value
2. Retrieve the raw request body as a string
3. Verify the raw request body using the RSA-SHA256 algorithm (with padding RSA_PKCS1_PSS_PADDING) using the signature and public key
Code samples
Node JS
import crypto from 'crypto'
import constants from 'constants'
const verifySignature = (publicKey, signature, rawBody) => {
const verifier = crypto.createVerify('RSA-SHA256')
verifier.update(rawBody)
return verifier.verify({ key: publicKey, padding: constants.RSA_PKCS1_PSS_PADDING }, signature, 'base64')
}
What if a rest hook fails?
The rest hook will continue to be called up to 300 times after which it will be automatically disabled. The rest hook failure message will be displayed in the "Resthooks" section of Finmo.
How to view rest hook fails
1. Click the gear icon.
Select "Integrations" and scroll down to "Resthooks"
💡Tip: Make sure the rest hook is enabled on your side and delete it if it is not or correct it before re-enabling it on Finmo
Additional Resources
Should you have any questions please click on the chat bubble or email support@finmo.ca