Skip to main content
All CollectionsHow-to's and TutorialsSecurity
How to verify Finmo Resthook signatures (beta)
How to verify Finmo Resthook signatures (beta)

rest hook,

Lenny Desk avatar
Written by Lenny Desk
Updated over a week ago

Note: This article is written for developers.

Finmo rest hooks is a great feature to hook Finmo events back into your system. But an open rest hook might expose your endpoint to the rest of the internet. To protect against bad actors, we strongly recommend you verify the signature of all incoming rest hook to guarantee the rest hook message was sent by us.

How to obtain your public key

Your public key is on the Team Settings > Integrations page under the "Resthooks" section. Copy your public key for later.

How to verify your signature

Once you set up a rest hook, you can verify the signature with the following pseudo-code

const publicKey = 'YOUR PUBLIC KEY';
const signature = req.headers['finmo-resthook-signature']
const rawBody = req.body

const isVerified = rsaSha256Verify({
key: publicKey,
signature: signature,
data: body

Or follow the steps in order:

1. Retrieve the signature from the finmo-resthook-signature header value

2. Retrieve the raw request body as a string

3. Verify the raw request body using the RSA-SHA256 algorithm (with padding RSA_PKCS1_PSS_PADDING) using the signature and public key

Code samples

Node JS

import crypto from 'crypto'
import constants from 'constants'

const verifySignature = (publicKey, signature, rawBody) => {
const verifier = crypto.createVerify('RSA-SHA256')

return verifier.verify({ key: publicKey, padding: constants.RSA_PKCS1_PSS_PADDING }, signature, 'base64')

What if a rest hook fails?

The rest hook will continue to be called up to 300 times after which it will be automatically disabled. The rest hook failure message will be displayed in the "Resthooks" section of Finmo.

How to view rest hook fails

1. Click the gear icon.

Select "Integrations" and scroll down to "Resthooks"

💡Tip: Make sure the rest hook is enabled on your side and delete it if it is not or correct it before re-enabling it on Finmo

Additional Resources

Should you have any questions please click on the chat bubble or email

Did this answer your question?