Validate signed responses

In order to guarantee the integrity of API responses, Rabobank digitally signs all responses of the Rabo Identity Services APIs. You can also use this feature to determine the integrity and authenticity of the response.

This functionality relies on JWS (JSON Web Signatures) for computing and signing the response payloads and JWK (JSON Web Keys) for the publication of the key material required to validate the integrity and authenticity. 

Follow the listed steps to validate the integrity and authenticity of your response:

Obtain the JSON Web Key

All Rabo Identity Services API(s) facilitate an endpoint exposing the JSON Web Key, which is used to validate the signature on the response.

Retrieve the JWK by invoking the GET/keys endpoint on your subscribed API. The received response should contain the public part of the cryptographic key and the corresponding private key should be used to compute the signature. 

The object with the keys array should be used in its entirety when the signature validation is performed.

Obtain the X-JWS-Signature header

The API response should contain the X-JWS-Signature header, this header represents a signed JWT and is computed based on the corresponding payload of the response. 

The header of the X-JWS-Signature value contains a Key ID, referred to as kid. This value should match the kid value in the public part of the JSON Web Key. 

Validating the X-JWS-Signature

After the JWK and the X-JWS-Signature are obtained, you can validate the signature.

In order to determine the integrity and authenticity of any API response, it’s required to base64 URL encode the payload of the API response and add it to the payload section of the X-JWS-Signature value (this is empty by default).

After the entire JWS is composed, the X-JWS-Signature value can be verified by applying the object within the keys array as derived from the GET/keys endpoint.