Payment Event Tokens
If you have a webhook endpoint on your web application and configured your Phenixio account settings accordingly (See previous section: Webhooks) we will sent you event notifications when a payment event happens.
For the convenience and security purposes we use industry standard JWTs. If you are not already familiar with JWTs, you can learn more about here: jwt.io. They are really simply JSON messages with cryptographic signatures, providing secure communication between two parties.
JSON content is safe against tampering. If the content of the message is changed by an attacker, signature becomes invalid. Since the attacker does not have the private key to generate a valid signature, their attempt will fail.
Currently we use RS256 (RSA Signature with SHA-256) , it is an asymmetric algorithm, and it uses a public/private key pair: the identity provider has a private (secret) key used to generate the signature, and the consumer of the JWT gets a public key to validate the signature. This helps us avoid sharing the secret. Only the private key holder can generate valid signature for a given public key. But anyone with the public key can verify the token is indeed generated by the trusted party.