Tesser signs every outgoing webhook request with an Ed25519 asymmetric signature. You should verify this signature on your server before processing the payload.
Signature Header
Each webhook request includes the following headers:
| Header | Description |
|---|---|
X-Tesser-Signature | Base64-encoded Ed25519 signature of the request body |
Content-Type | Always application/json |
User-Agent | Tesser-Webhooks/1.0 |
The signature is computed over the exact UTF-8 bytes of the JSON request body. Do not parse and re-serialize the body before verifying — use the raw bytes.
Public Keys
Tesser uses separate public keys for production and sandbox. Pick the one that matches the environment the webhook is being delivered from, and reject signatures verified against the wrong key.
| Environment | Constant | API host | Value (SPKI DER, base64) |
|---|---|---|---|
| Production | WEBHOOK_PUBLIC_KEY | https://api.tesser.xyz | MCowBQYDK2VwAyEAOfvxBlVYrtI3tQ2uEQT6F+LVm5FvSxbD/8kBoFBl1KQ= |
| Sandbox / Staging | WEBHOOK_SANDBOX_PUBLIC_KEY | https://sandbox.tesserx.co | MCowBQYDK2VwAyEALAxMg+qVGP8LWTYjr0riGw7tQ3i5T5jj1fcssibgFHY= |
Both keys are provided in SPKI DER format, base64-encoded.
If you're using the SDK, import the constants directly:
Code
Otherwise, copy the literal values from the table above.
Verifying Signatures
Pass the public key for the environment the webhook is being delivered from — use WEBHOOK_PUBLIC_KEY for production webhooks and WEBHOOK_SANDBOX_PUBLIC_KEY for sandbox / staging webhooks.
Code
Important Notes
- Always verify using the raw request body bytes. Parsing the JSON and re-serializing may change whitespace or key order, which will invalidate the signature.
- If verification fails, respond with
401and do not process the event. - The public key may be rotated in the future. Key rotation will be announced in advance and communicated through the Tesser Dashboard.