Lib.rs

Cryptography
#signature #body #path #post #webhook #true-layer #idempotency-key #payouts

truelayer-signing

Produce & verify TrueLayer API requests signatures

Owned by Alessandro Zanin, Ethan Brierley, suryapandian, TrueLayer, Alessandro Bracco, tl-rodrigo-gryzinski.

10 releases

0.3.1 Jul 15, 2024
0.2.1 Mar 20, 2024
0.1.6 Dec 20, 2022
0.1.5 Aug 15, 2022
0.1.1 Nov 23, 2021

#207 in Cryptography

Download history 806/week @ 2025-01-12 1496/week @ 2025-01-19 935/week @ 2025-01-26 1301/week @ 2025-02-02 890/week @ 2025-02-09 495/week @ 2025-02-16 702/week @ 2025-02-23 1040/week @ 2025-03-02 482/week @ 2025-03-09 453/week @ 2025-03-16 272/week @ 2025-03-23 178/week @ 2025-03-30 670/week @ 2025-04-06 1147/week @ 2025-04-13 599/week @ 2025-04-20 688/week @ 2025-04-27

3,105 downloads per month

MIT/Apache

46KB
920 lines

truelayer-signing

Rust crate to produce & verify TrueLayer API requests signatures.

Crates.io Docs.rs

// `Tl-Signature` value to send with the request.
let tl_signature = truelayer_signing::sign_with_pem(kid, private_key)
    .method(Method::Post)
    .path("/payouts")
    .header("Idempotency-Key", idempotency_key)
    .body(body)
    .build_signer()
    .sign()?;

See full example.

Prerequisites

  • OpenSSL (see here for instructions).

Verifying webhooks

The verify_with_jwks function may be used to verify webhook Tl-Signature header signatures.

// `jku` field is included in webhook signatures
let jku = truelayer_signing::extract_jws_header(webhook_signature)?.jku?;

// check `jku` is an allowed TrueLayer url & fetch jwks JSON (not provided by this lib)
ensure_jku_allowed(jku)?;
let jwks = fetch_jwks(jku);

// jwks may be used directly to verify a signature
truelayer_signing::verify_with_jwks(jwks)
    .method(Method::Post)
    .path(path)
    .headers(all_webhook_headers)
    .body(body)
    .build_verifier()
    .verify(webhook_signature)?;

See webhook server example.

Dependencies

~3–5MB
~98K SLoC