cancel
Showing results for 
Search instead for 
Did you mean: 

Webhooks OAuth with JWT

Hi,

I have a query regarding Webhooks creation with OAuth and JWT. Basically, Cybersource will send a POST request to the client server to get the access token for sending a notification. In this request, every client server will expect a signed JWT token (signed with a private key). So, the client server will provide the access token in the response, and using this access token, Cybersource will send the notification.

Before creating the webhook subscription, the client needs to upload the public key to their server. Where does the client need to get the public and private keys? If the client creates a new certificate, how will the client send the private key to Cybersource?

According to the webhooks documentation, we need to download the Visa Corporate Root CA - G2 certificate (which is the public key) from enroll.visaca.com. Is Cybersource sending a JWT signed with a private key? Some client servers expect RSA 3072 or 4096 bits, but as per the Cybersource document, this Visa Corporate Root CA - G2 is 2048 bits. If we want a 3072 or 4096 bit certificate, how can we enroll for these certificates in Cybersource?

Thanks,

Sai Krishna

sai8
Member
3 REPLIES 3

To handle Webhooks with OAuth and JWT for Cybersource:

  1. Public and Private Keys: Clients need to generate their own public-private key pair. Tools like OpenSSL can be used for this purpose. The private key is kept secure on the client’s server, while the public key is shared with Cybersource for verification.

  2. Sending the Private Key: The private key is never sent to Cybersource. Instead, you only upload the public key to Cybersource.

  3. JWT Signing: Cybersource uses its own private key to sign JWTs. Clients should use their private keys to sign JWTs for webhook subscriptions.

  4. Certificate Bits: The Visa Corporate Root CA - G2 certificate (2048 bits) is used to verify Cybersource’s JWT signatures. For RSA keys of 3072 or 4096 bits, you need to ensure your setup is compatible with Cybersource's infrastructure. Consult Cybersource support for specific requirements and enrollment options.

oliverbennett
Member

Thank you for your reply @oliverbennett 

  1. Task/ Procedure: Here client is subscribing for Cybersource webhooks. So, Cybersource needs to send the signed JWT to get the access token from the client server. After then Cybersource will send the webhook notifications using access token.
  2. Point 3: JWT Signing:  If Cybersource uses its own private key to sign JWTs, how client server will verify the JWT? Where will we get the corresponding public key for verification?
  3. Point 4: Certificate Bits: If in case it's only option to use 3072 or 4096 bits in the client server, where we can enroll for the new certificate with 3072 or 4096 bits? (to get the public key for verification in the client server)
  4. I have tried to verify the Cybersource JWT with Visa Corporate Root CA - G2 public key. But verification was failed. My assumption it might be Cybersource sending JWT that signed with different private key.
  5. In the webhook documentation this Visa Corporate Root CA - G2 certificate is mentioned.

Please find the below webhook documentation screenshot.

Screenshot 2024-08-05 205358.png

Please find the below image for Cybersource Webhook API.

Screenshot 2024-08-05 203358.png

Thanks

Hi Sai Krishna,

For Webhooks with OAuth and JWT, you'll need to generate a key pair (public and private keys) yourself. The private key remains confidential and is used to sign the JWT, while the public key is uploaded to Cybersource. Cybersource uses its private key to sign JWTs. If your client requires RSA 3072 or 4096-bit keys, you'll need to verify with Cybersource if they support those sizes or if their documentation can be updated accordingly.

oliverbennett
Member