Callback Public Key - Winam Payments API

Clé publique de vérification des callbacks

curl --request GET \
  --url https://payments.winam.cm/api/v1/security/callback-public-key \
  --header 'X-API-Key: <api-key>'

{
  "algorithm": "<string>",
  "public_key_pem": "<string>",
  "key_id": "<string>"
}

GET

api

security

callback-public-key

Clé publique de vérification des callbacks

curl --request GET \
  --url https://payments.winam.cm/api/v1/security/callback-public-key \
  --header 'X-API-Key: <api-key>'

{
  "algorithm": "<string>",
  "public_key_pem": "<string>",
  "key_id": "<string>"
}

Each webhook sent by winam-payments includes an X-Winam-Signature header — a JWT RS256 token signed with Winam’s private key. Use this endpoint to fetch the corresponding public key for verification.

Cache this response. The key rotates rarely — fetching it on every webhook is unnecessary overhead. A cache TTL of 24 hours is recommended.

See Webhooks for the full signature verification flow with code examples in Python and Node.js.

Authorizations

X-API-Key

string

header

required

Response

200 - application/json

Successful Response

algorithm

string

required

JWT signing algorithm used for outbound webhooks

Example:

"RS256"

public_key_pem

string

required

RSA/ECDSA public key in PEM format. Fetch once and cache — the key rotates rarely.

key_id

string

required

Key rotation identifier. Changes when the key pair is rotated.

Example:

"winam-payments-v1"

Webhooks Errors

⌘I

Documentation Index

Authorizations

Response