Returns the public key used to verify webhook signatures.
When you receive a webhook callback, verify it’s from Lamina by checking the
ED25519 signature in the X-Lamina-Webhook-Signature header.
Verification steps:
<timestamp>.<raw_body>Headers sent with each webhook:
X-Lamina-Webhook-Signature — ED25519 signature (hex-encoded)X-Lamina-Webhook-Timestamp — Unix timestamp (seconds) when signedX-Lamina-Webhook-Request-Id — Execution ID (for idempotency)X-Lamina-Webhook-User-Id — User ID that triggered the executionContent-Type: application/jsonRetry policy: If your endpoint returns non-2xx or times out (15s), we retry 3 times with backoff: 5s, 30s, 2 minutes. Each retry has a fresh signature.
Replay protection: Reject webhooks with timestamps older than 5 minutes.
The signing key is returned as a JWK. Consume it directly — the x field
is a raw 32-byte Ed25519 public key (base64url), not a DER/SPKI blob.
Node.js verification example:
const crypto = require('crypto');
// Fetch once at startup: const { keys } = await fetch('.../v1/webhooks/signing-key').then(r => r.json());
// const PUBLIC_JWK = keys[0];
function verifyLaminaWebhook(rawBody, signatureHex, timestamp, jwk) {
const publicKey = crypto.createPublicKey({ key: jwk, format: 'jwk' });
const message = Buffer.from(timestamp + '.' + rawBody);
const signature = Buffer.from(signatureHex, 'hex');
return crypto.verify(null, message, publicKey, signature);
}
Python verification example:
import base64
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
# jwk = requests.get('.../v1/webhooks/signing-key').json()['keys'][0]
# raw = base64.urlsafe_b64decode(jwk['x'] + '==') # 32-byte Ed25519 public key
# public_key = Ed25519PublicKey.from_public_bytes(raw)
def verify_lamina_webhook(raw_body, signature_hex, timestamp, public_key):
message = f"{timestamp}.{raw_body}".encode()
signature = bytes.fromhex(signature_hex)
public_key.verify(signature, message) # Raises on failure