How to verify the callback signature
How does the callback signature work?
CryptAPI's callback signature works with public-key signature scheme, using a 1024-bit RSA SHA256 signature. It signs the entire callback sent to your service, therefore you can trust that all the data was sent from our service.
If the request is sent via GET, then the full URL (with all GET parameters) are signed. If you requested to receive the callback via POST, then the entire request body is signed.
The public key used to validate the signature can be fetched from the following endpoint: https://api.cryptapi.io/pubkey/
The signature is sent via the "x-ca-signature" header of the request, and is base64-encoded.
How do I validate the callback?