Webhook Authentication

Tesser signs every outgoing webhook request with an Ed25519 asymmetric signature. You should verify this signature on your server before processing the payload.

Signature Header

Each webhook request includes the following headers:

The signature is computed over the exact UTF-8 bytes of the JSON request body. Do not parse and re-serialize the body before verifying — use the raw bytes.

Public Key

Tesser's webhook public key is provided in SPKI DER format, base64-encoded. You can also import it from the SDK types package:

Code
 
import { WEBHOOK_PUBLIC_KEY } from "@tesser-payments/types";

Verifying Signatures

Code
 
import { createPublicKey, verify } from "node:crypto";
import { WEBHOOK_PUBLIC_KEY } from "@tesser-payments/types";

function verifyWebhook(rawBody, signature) {
  const publicKeyObj = createPublicKey({
    key: Buffer.from(WEBHOOK_PUBLIC_KEY, "base64"),
    type: "spki",
    format: "der",
  });
  return verify(
    null,
    Buffer.from(rawBody, "utf8"),
    publicKeyObj,
    Buffer.from(signature, "base64"),
  );
}

// In your webhook handler:
const signature = req.headers["x-tesser-signature"];
const isValid = verifyWebhook(req.rawBody, signature);

if (!isValid) {
  return res.status(401).json({ error: "Invalid signature" });
}

Important Notes

• Always verify using the raw request body bytes. Parsing the JSON and re-serializing may change whitespace or key order, which will invalidate the signature.
• If verification fails, respond with 401 and do not process the event.
• The public key may be rotated in the future. Key rotation will be announced in advance and communicated through the Tesser Dashboard.