Skip to content

JWT webhook/return token validation #18

Open
Open
JWT webhook/return token validation#18
Labels
enhancementNew feature or request

Description

@rammrain
rammrain
opened on Apr 10, 2026

Summary

Implement validation of incoming JWT tokens received from Montonio on payment return or webhook callback.

Requirements

  • Parse and validate JWT tokens from Montonio callbacks
  • Verify HS256 signature using the merchant's secret key
  • Verify token expiration
  • Verify merchant identity (access key claim)
  • Extract structured payment result: status, order UUID, merchant reference, payment provider name, sender details
  • Return typed errors on validation failure (expired, bad signature, wrong merchant, malformed)
  • Support multi-merchant — select correct secret key based on token claims

Refs

  • initial-docs/project1.md — validate return/webhook token, verify signature/expiration/merchant/reference
  • initial-docs/project2.md — parse webhook JWT into structured order result

Testing

Unit tests covering: valid token parsing, expired token rejection, invalid signature rejection, wrong merchant rejection, malformed token handling, multi-merchant key selection. Target near-perfect coverage.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions