Has anyone here worked with any platform or clients that required you to sign webhooks sent to them using certificates that they have provided? One of our clients is updating to a new version of IBM's order management system, and now they require all the webhooks we send to them to be signed with a X.509 certificate provided by them.. I'm trying to find existing patterns for the same.

My team build internal webhooks framework at Oracle and had to deal with multiple auth schemas that clients would want, including X.509 signing.

So clients would submit their certificate in what format? And y'all built an API to accept their certificate, validate it, and store it for use?

Yup. You can accept base64 encoded or directly, depends on how you're storing/signing. Everything confidential will have to be stored separate from your main DB in something like vault. The process sending the webhook will access the keys, sign, and send.

If you're trying to look for publically available code, I think

apns

works with cert auth. So any multi-tenant oss notification system would have implemented it. If they have a test or health endpoint, that would be easiest to work with while the cert is being uploaded.

Thanks! By

apns

you're referring to Apple Push Notification Service? What does

oss

stand for?

Open Source Software ?