When making async requests with the Data API, or listening for status change events with the Payments API, you may want to verify the identity or requests sent to your webhook_uri.
We are unable to share IP addresses because we do not use fixed blocks of IP addresses due to our infrastructure being elastic in nature.
Solution
What to do next?
If you would like to whitelist calls from TrueLayer you can do so by adding a unique query parameter to the webhook_uri
that will allow you to identify anything that comes from TrueLayer. The example below shows the format in which you should structure your webhook_uri
For added security, you can add in a signed jwt token as a parameter for the webhook callback. Because you have signed the token yourself you can trust it and you can decode it and check the contents of the token match what you have set.
Example
https://mywebhook.app?unique_param=x
Comments
0 comments
Please sign in to leave a comment.