Hi,
I have a query regarding Webhooks creation with OAuth and JWT. Basically, Cybersource will send a POST request to the client server to get the access token for sending a notification. In this request, every client server will expect a signed JWT token (signed with a private key). So, the client server will provide the access token in the response, and using this access token, Cybersource will send the notification.
Before creating the webhook subscription, the client needs to upload the public key to their server. Where does the client need to get the public and private keys? If the client creates a new certificate, how will the client send the private key to Cybersource?
According to the webhooks documentation, we need to download the Visa Corporate Root CA - G2 certificate (which is the public key) from enroll.visaca.com. Is Cybersource sending a JWT signed with a private key? Some client servers expect RSA 3072 or 4096 bits, but as per the Cybersource document, this Visa Corporate Root CA - G2 is 2048 bits. If we want a 3072 or 4096 bit certificate, how can we enroll for these certificates in Cybersource?
Thanks,
Sai Krishna
07-31-2024 02:42 AM
To handle Webhooks with OAuth and JWT for Cybersource:
Public and Private Keys: Clients need to generate their own public-private key pair. Tools like OpenSSL can be used for this purpose. The private key is kept secure on the client’s server, while the public key is shared with Cybersource for verification.
Sending the Private Key: The private key is never sent to Cybersource. Instead, you only upload the public key to Cybersource.
JWT Signing: Cybersource uses its own private key to sign JWTs. Clients should use their private keys to sign JWTs for webhook subscriptions.
Certificate Bits: The Visa Corporate Root CA - G2 certificate (2048 bits) is used to verify Cybersource’s JWT signatures. For RSA keys of 3072 or 4096 bits, you need to ensure your setup is compatible with Cybersource's infrastructure. Consult Cybersource support for specific requirements and enrollment options.
08-05-2024 05:17 AM
Thank you for your reply @oliverbennett
Please find the below webhook documentation screenshot.
Please find the below image for Cybersource Webhook API.
Thanks
08-05-2024 08:32 AM
Hi Sai Krishna,
For Webhooks with OAuth and JWT, you'll need to generate a key pair (public and private keys) yourself. The private key remains confidential and is used to sign the JWT, while the public key is uploaded to Cybersource. Cybersource uses its private key to sign JWTs. If your client requires RSA 3072 or 4096-bit keys, you'll need to verify with Cybersource if they support those sizes or if their documentation can be updated accordingly.
08-06-2024 07:33 AM