At the bottom of each security event token you’ll see a block of text that looks similar to this:
This is the token signature, a hashed and encrypted string that enables you to verify the validity of the token. Signatures are created and encrypted by:
- Combining the header, the payload, and a secret (i.e., a password).
- Encrypting that combination using one of the allowed encrypting algorithms. The most commonly-used hashing algorithm is HMAC SHA256 (aka HS256).
And how do you decrypt a token signature? For that, you need to use JSON Web Keys.
A Note About Webhook Signatures
Keep in mind that signatures are used for verifying security event tokens, not for safeguarding the contents of those tokens. For example, suppose you have an encoded token, but you don’t have the JSON Web Key used to sign that token. That’s fine: you can still decode the token. You just won’t be able to validate the signature:
That’s the expected behavior, and, as we’ve noted before, that’s fine: after all, webhook notifications don’t contain any personally-identifiable information, which means that there’s little (if any) risk involved in someone decoding a notification that was never meant for them.