API Developer Guide
How can we help?
Full Site Search

Webhook Signature

Purpose of Signature

To ensure that the Webhook request truly comes from Ragic and that its content has not been tampered with, Webhooks configured as "Send full content of changed record." will include a signature in the request.

After receiving the Webhook, you can use the public key we provide to verify the signature.

If verification fails, it means the request may have been tampered with, and it is recommended to reject processing.

Verification Process

1. Obtain string-to-sign

1.1. Extract the data property from the Webhook request. (The data property should be in JSONArray format)

1.2. Serialize it into a JSON string with keys sorted alphabetically, no indentation, and no line breaks. In other words, "for each object in the JSONArray, reorder all fields alphabetically, then output as a single-line JSON".

// Before conversion (original data property):
[
  {
    "1001030":"banana",
    "1001029":"apple"
  }
]



// After conversion (string-to-sign):
[{"1001029":"apple","1001030":"banana"}]

Note: If the serialization method is inconsistent with ours, the signature verification will fail.

2. Verify the signature

2.1. Extract the signature property from the Webhook request.

2.2. Download the public key (see "Get Public Key").

2.3. Use a verification tool that supports SHA256withRSA.

  1. Convert the string-to-sign into a UTF-8 byte array

  2. Verify the signature using the public key and algorithm

2.4. If verification succeeds, it means the request is from Ragic and its content has not been tampered with.

Get Public Key

We provide two ways for you to obtain the public key. Choose the one that best fits your use case:

1. Get the public key string directly by calling: https://www.ragic.com/api/http/getWebhookSignaturePublicKey.jsp?type=string

2. Click here to download the PEM file.

It is recommended to cache the public key on your server and only re-download it on startup.

Other Notes

  • If you are using the Private Host version, or if "Send full content of changed record" is not enabled, the Webhook will not support signature verification.

  • Make sure your program handles JSON serialization consistently; otherwise, verification errors will occur.

Top of Page Table of Contents Provide feedback
Share your feedback with Ragic

What would you like to tell us?(required, multi select)

Please provide detailed explanations for the selected items above:

Screenshots to help us better understand your feedback:

Thank you for your valuable feedback!

Start Ragic for free

Sign up with Google

Product
Pricing
On-Premise
Security
Ragic Features
Compare

Resources
Learning Center
Webinars
Case Studies
Partner Program
Educator Program
FAQ
ERP Basics
Use Cases
Sales
Inventory
Purchasing
Production
Barcode
Human Resource
Project Management
Marketing
Finance & Accounting
Support
Administration
MIS
R&D
About Us
Ragic Quick Guide
Why We Created Ragic
Blog
Community
What's New?
Contact Us

Download on the App Store
Get it on Google Play
Ragic, Inc.
1-888-666-8037
Terms of Service | Privacy Policy