Legalesign logo
Warning
This is an article for a past version of the web app, to see the latest go to Console Articles.

eSignature API

How to verify callback data

Legalesign API callbacks, also known as webhooks or event notifications, include a signed string you can use to verify the integrity of the data.

The procedure is the same as verifying AWS SNS broadcasts.

You will need:

  • the data that was sent in JSON format - JSON_DATA_THAT_WE_SENT

  • the signing data - SIGNED_STRING_WE_SENT

  • the X509 certificate (below) - X509_CERT_TEXT

How to find the data:

There are two types of callback, this is how to get the relevant data:

  1. Callback every 6 minutes - the callback is POSTED in two parts, 'data' and 'signed'. The SIGNED_STRING is within the 'signed' part, and the JSON_DATA is within the 'data'.

  2. Callback upon signing - the callback POST dictionary contains 'json_signed', this is the JSON_DATA you will need, and the request will include the custom header X-Signed (or HTTP-X-SIGNED), this is the SIGNED_STRING.

This is the verification procedure in python 2/3, you will need the M2Crypto module:

from M2Crypto import X509
from base64 import b64decode

cert = X509.load_cert_string(str(X509_CERT_TEXT))
pubkey = cert.get_pubkey()
pubkey.reset_context(md='sha1')
pubkey.verify_init()
pubkey.verify_update(JSON_DATA_THAT_WE_SENT) #python2
pubkey.verify_update(JSON_DATA_THAT_WE_SENT.encode()) #python3
verified  = pubkey.verify_final(b64decode(SIGNED_STRING_WE_SENT))
if verified == 1:
   print 'success!'
else:
   print 'fail :('

X509 certificate:

-----BEGIN CERTIFICATE-----
MIIFSjCCAzICAQAwDQYJKoZIhvcNAQEFBQAwazEeMBwGA1UEBxMVRWRpbmJ1cmdo
LFNjb3RsYW5kLEdCMRswGQYDVQQKExJMZWdhbGVzaWduIExpbWl0ZWQxLDAqBgNV
BAMUI2xlZ2FsZXNpZ24uY29tL2VtYWlsQGxlZ2FsZXNpZ24uY29tMB4XDTEzMDIw
MTE2MjgyN1oXDTMzMDIwMTE2MjgyN1owazEeMBwGA1UEBxMVRWRpbmJ1cmdoLFNj
b3RsYW5kLEdCMRswGQYDVQQKExJMZWdhbGVzaWduIExpbWl0ZWQxLDAqBgNVBAMU
I2xlZ2FsZXNpZ24uY29tL2VtYWlsQGxlZ2FsZXNpZ24uY29tMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEAyzOOqZJ0BnwhJyOSBj1P3W7EGouKe0M1KFif
CEm9jlw1q5iKupOnbqJRAKG+znDTeocFfwywnQnz7b6AfZ33QiR/HYFJT4J+3HCO
186VUNsXcK3KtJxfIhsO03zFfIaoRmXLkwaUJlP2dfGc10PNX6EBYyqzRG6TzlB6
uNdb3R/EeSTMn+VVyZ8E/L1ujeAFW8nZ+V8xAdvqSSeP3tMHwcRq1u6Mk9DUdlhs
dL//sdTEkNar3FJAlisvXlLs6deXSLsIfr8g6K/59g0HsCEvRKqVa0WFs4OpPR3q
dN+0PecON0pU6tRuN+9TTsss3hzjRfijiiktLaAIKZrupZDPZ9gSb5bfwL6zjdTN
y3TTb/SzNZ1agwRoqftOAfff9ffCNUSrtQr4g3isGgtj2jQQ/W7+yFvEGGqy9/Co
inlaNJqJPYdfYhwJ30sihTkKKzIcUKRGvrnW7QlIl+6+QMToCGql1AbVG1CIQeiP
NkAmsQxieGrE0OszG1mTx1+SmBGo7WV32iV6sjmaOGHdE9zeNjRSJRS/SIWY8V+b
2i2W7zi3DvziRPqg6LUJX2pgAuDUmTxg6gMEzh8HHT36igzainrkKXqqoBsqwttY
OikzGBBcctlhyWApgNqKi953S6dvEMsjWuyzqaYTn4QkQZnfZaIHj8KVQOI3cCgD
6m8BjTMCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEARHEUsvB7aa+/hp1dR6bqaR0W
bigK3Xm8LLB7PR0AjojOW1TUUDQLFKkHayqMNB0jcML/7Np4dGhOuAB6hfaq09hw
xLexhix9DXgnm89QPzClHDTHzcbB2sqhqZKRlsJXfW3Dsh3iN9QdWt341ZsmaPBi
gPvJpzKCoG4FhUsXUwCKERh41xssPsg7c417+OnU15I63bb4SlGH9+6j4kHGZh7p
2Sxn27CC4tDLGkI6fOVZapmN1iM+x17n/GCOTDrqlGXw72u0xH3yUA8W75HyuL31
m/6jlO9VQfY7ZVJn9IuoFjX+sU3uTz7PZhqFHLi2M4hVSaRgJ5JZBkUtr2eTvvhL
iPBwjOfdba4rulqVni7joN1k4ulYnrpf6jmC/sbUPQkU9HbAUOhibyLEkysEhUPb
78aFbM+4c6rhzSRL5gvN7lVmBTZimmIs0x5y+Q5+GSIrRZgHkSxOGkrQtdsrJStg
zerSTb5dF+L9Jv0d2AhIWMLP4KIO4NMj/ljiPOwtqPHU2KSsRivJA1xybFI4peBE
aAocb936W/RabYdVCPITLsYA4ThApMI+jpJPvG8JKTrauOwZRBOq82lBJuoBgkAp
h6A3SPeR5GCnCRmPIvrv21Q7dm7Gg4lbPtEemH3QdNlCIY1BzADD/H1zDAU+0J5P
+PUQCjWRM3JmFbuYTjs=
-----END CERTIFICATE-----

You can force the system to send a test API notification to your callback URL if you are still in sandbox mode by using the /api/v1/sandbox/ endpoint .

curl --dump-header - -H "Authorization: ApiKey [x]:[y]"  
-X GET "https://eu-api.legalesign.com/api/v1/sandbox/?resource_uri=test&value=1"

To contact support, create a new ticket at  support.legalesign.com ↗

Previous
API quickstart with the Python SDK
Next
Esignature API Documentation