PLATFORM RC-78 Webhook verification semantics (v1) (contract) (v1)

Download OpenAPI specification:

Contract-only webhook verification semantics and read-only verification metadata endpoints. This document does not imply a runtime backend implementation.

v1 invariants:

signing_string = ".." (no re-serialization)
X-Zex-Signature format: v1=<lowercase hex HMAC-SHA256(secret, signing_string)>
replay protection default tolerance_seconds: 300
multiple active secrets supported during rotation (current + previous)

Get webhook verification config (metadata only)

path Parameters

endpoint_id

required

string <uuid>

header Parameters

X-Correlation-Id

required

string

Responses

Response samples

Content type

application/json

{"algorithm": "hmac-sha256",
"header_spec": {"timestamp_header": "X-Zex-Timestamp",
"event_id_header": "X-Zex-Event-Id",
"signature_header": "X-Zex-Signature",
"signature_version_header": "X-Zex-Signature-Version",
"signing_string_format": "<timestamp>.<event_id>.<raw_body_bytes>"
},
"tolerance_seconds": 0,
"supported_versions": ["v1"
],
"active_secret_count": 0,
"status": {"enforcement": "enforced"
}
}