Validate that a webhook from Constant Contact is authentic.

Validate webhook notifications you receive from Constant Contact to ensure that the:

  • webhook is from Constant Contact
  • message content has remained unchanged

Webhook Callback Signature Format

The signature format is JWS-based (JSON Web Signature - RFC7515) with detached content. For efficiency and simplicity the verification uses RFC7797 allowing the payload to not be base64-encoded before it’s signed. The ts (timestamp) field is included in the JWS header part of the signature to prevent replays and includes the time the webhook call was initiated.

JWS Header

The JWS header includes the following:

  • alg: the crypto algorithm that Constant Contact used to sign the key.

  • ts: the timestamp showing when the webhook call was initiated, which allows you to mitigate replay attacks.

  • b64: indicates that the payload is not base64url-encoded (false).

  • crit: indicates that the payload is not base64url-encoded.

For example:


Validate the Signature

To validate the signature of a notification event:

  1. Make a GET request to the Constant Contact JWKS URL and obtain the public signing key for webhooks. The URL is This URL will returns an array of public json web keys.
  2. Reattach the notification payload to the webhook JWT.
    • Copy the JWT value sent by Constant Contact using the X-CTCT-WEBHOOK-SIG.
    • Add the detached notification payload to the JWT.
  3. Use the public JSON web key to verify the signature of the full JWT.

Use JWT libraries that natively support JWTs with detached payloads or the headers “b64”:false and “crit”:[“b64”] that indicate the detached payload was not base 64 encrypted before being signed.