Validate webhook notifications you receive from Constant Contact to ensure that the:
- webhook is from Constant Contact
- message content has remained unchanged
Webhook Callback Signature Format
The signature format is JWS-based (JSON Web Signature - RFC7515) with detached content. For efficiency and simplicity the verification uses RFC7797 allowing the payload to not be base64-encoded before it’s signed. The ts (timestamp) field is included in the JWS header part of the signature to prevent replays and includes the time the webhook call was initiated.
JWS Header
The JWS header includes the following:
-
alg: the crypto algorithm that Constant Contact used to sign the key. -
ts: the timestamp showing when the webhook call was initiated, which allows you to mitigate replay attacks. -
b64: indicates that the payload is not base64url-encoded (false). -
crit: indicates that the payload is not base64url-encoded.
For example:
{
"alg":"RS256",
"ts":1603992205,
"b64":false,
"crit":["b64"]
}
Validate the Signature
To validate the signature of a notification event:
- Make a GET request to the Constant Contact JWKS URL and obtain the public signing key for webhooks. The URL is https://developer.constantcontact.com/.well-known/jwks.json This URL will returns an array of public json web keys.
- Reattach the notification payload to the webhook JWT.
- Copy the JWT value sent by Constant Contact using the
X-CTCT-WEBHOOK-SIG. - Add the detached notification payload to the JWT.
- Copy the JWT value sent by Constant Contact using the
- Use the public JSON web key to verify the signature of the full JWT.
Use JWT libraries that natively support JWTs with detached payloads or the headers “b64”:false and “crit”:[“b64”] that indicate the detached payload was not base 64 encrypted before being signed.