java7

truelayer-signing

Java package to produce & verify TrueLayer API requests signatures.

Usage in java/scala/kotlin code.

// `Tl-Signature` value to send with the request.
Signer.from(kid, privateKey)
        .header("Idempotency-Key", idempotencyKey)
        .method("post")
        .path(path)
        .body(body)
        .sign();

See full example.

Verifying webhooks

The Verifier.verifyWithJwks function may be used to verify Tl-Signature header signatures.

// `jku` field is included in webhook signatures
String jku = Verifier.extractJku(webhookSignature);

// check `jku` is an allowed TrueLayer url & fetch jwks JSON (not provided by this lib)
ensureJkuAllowed(jku);
String jwks = fetchJwks(jku);

Verifier.verifyWithJwks(jwks)
        .method("POST")
        .path(path)
        .headers(allWebhookHeaders)
        .body(body)
        .verify(webhookSignature);

See webhook server example.

Installation

Stable releases are hosted on Maven Central

	dependencies {
	        implementation 'com.truelayer:truelayer-signing:$version'
	}