Fireblocks WebHook

What is the difference between the webhook in settings>general>webhooks and settings>notifications>webhooks

For the webhook under notifications, I am required to add a secret key for jwt. What type of key is to be added? RSA Secret key?

Hi @Ephraim I am glad you asked!

We have the General settings webhooks, which are more of a developer webhook and provide detailed data about transactions, including transaction fees, sub-status, block height and number, and more.

For more administrative webhooks, we provide a Notifications Center that notifies you about log-ins, wallet and vault creations, and other notifications.

Kindly note that, as mentioned previously, the authentication methods are different.

When the developer webhook is sent, it includes the Fireblocks-Signature header, which contains a signed payload using the Fireblocks private key. You should verify this signature using the public key provided in the documentation. In contrast, the notifications webhook is signed with a symmetric key that you configure through the web console.

Is this the valid public key, I am getting an invalid signature for the sandbox environment.

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw+fZuC+0vDYTf8fYnCN6
71iHg98lPHBmafmqZqb+TUexn9sH6qNIBZ5SgYFxFK6dYXIuJ5uoORzihREvZVZP
8DphdeKOMUrMr6b+Cchb2qS8qz8WS7xtyLU9GnBn6M5mWfjkjQr1jbilH15Zvcpz
ECC8aPUAy2EbHpnr10if2IHkIAWLYD+0khpCjpWtsfuX+LxqzlqQVW9xc6z7tshK
eCSEa6Oh8+ia7Zlu0b+2xmy2Arb6xGl+s+Rnof4lsq9tZS6f03huc+XVTmd6H2We
WxFMfGyDCX2akEg2aAvx7231/6S0vBFGiX0C+3GbXlieHDplLGoODHUt5hxbPJnK
IwIDAQAB
-----END PUBLIC KEY-----

I am using Python, and here is a snippet of the function:

from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.hashes import SHA256
from cryptography.hazmat.primitives import serialization
from cryptography.exceptions import InvalidSignature

def verify_signed_object( public_key_pem: str, payload: bytes, signature: str) -> bool:
    try:
        public_key = serialization.load_pem_public_key(public_key_pem.encode('utf-8'))
        decoded_signature = base64.b64decode(signature)
        
        public_key.verify(
            decoded_signature,
            payload,
            padding.PKCS1v15(),
            SHA256(),
        )
        return True
    except Exception as e:
        print(f"Signature verification failed: {e}")
        return False

It was a mistake on my end, I was using the algorithm SHA256 instead of SHA512.