Skip to main content

Secure webooks

Implement security best practices to protect your webhook endpoints

Secure your webhook endpoints to ensure that incoming requests genuinely originate from IDnow and have not been tampered with.

Security headers

When configuring your webhook endpoint in the IDnow dashboard, you can define custom HTTP headers that are sent with every webhook request. IDnow automatically includes these headers in each call. No schema validation is performed.

Steps:

  1. Configure headers: Define the desired headers (e.g. API key or shared secret) in the webhook configuration.
  2. Verify headers: Check that the header values received in the webhook request match the expected ones.

Example patterns:

  • Static token (API Key / Shared Secret): X-Auth-Token: 5eaf37d12c9b4c0987a6f9e1a4f823bf
  • Basic Authentication: Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

JWT signature

All webhook payloads are delivered as a JSON Web Token (JWT). The JWT is sent as the HTTP request body with Content-Type: application/jwt. You can optionally verify the JWT signature to ensure the authenticity and integrity of the webhook. See Webhook events for details on decoding the payload.

JWKS endpoint

For sandbox, IDnow exposes its public keys at:

https://auth.eu.platform.idnow.sx/oidc/.well-known/jwks.json

For production, IDnow exposes its public keys at:

https://auth.eu.platform.idnow.io/oidc/.well-known/jwks.json

The JWKS URL is also advertised via the OpenID configuration:

https://auth.eu.platform.idnow.sx/oidc/.well-known/openid-configuration

Validation Steps

  1. Extract kid from the JWT header.
  2. Fetch JWKS from the endpoint above.
  3. Select the matching public key using the kid.
  4. Verify the signature.
  5. Validate claims:
    • exp – token not expired
    • iss – issuer matches IDnow
    • aud – token intended for your application

Once the signature and claims are valid, you can safely trust the webhook payload.

IP allowlisting

Restrict your webhook endpoint to only accept requests from IDnow IP addresses.

info

IDnow maintains a limited and stable list of IP addresses for webhook delivery.

IP ranges:

Add the IP ranges provided by account managers to your firewall or application allow list.

note

Contact your account manager for the current production IP ranges.

TLS requirements

Your webhook endpoint must support TLS 1.2 or higher. IDnow validates your endpoint's TLS configuration during setup.

Supported TLS versions:

  • TLS 1.2: Supported and recommended
  • TLS 1.3: Supported and recommended