Skip to content

docs(webhooks): publish signature public key and clarify verification#69

Open
tristantelleb wants to merge 1 commit into
mainfrom
docs/webhook-signature-public-key
Open

docs(webhooks): publish signature public key and clarify verification#69
tristantelleb wants to merge 1 commit into
mainfrom
docs/webhook-signature-public-key

Conversation

@tristantelleb

Copy link
Copy Markdown
Member

What

Improves the Webhooks page (v3/expert-models/webhooks.mdx) so integrators can actually verify webhook signatures on their own.

Publish the public key

The page told users to "ask Eden AI support for the public key." This inlines the actual RSA public key (PEM, BEGIN PUBLIC KEY), saved as edenai_webhook_rsa.pub.pem — the same filename the Python/JS examples already load.

Sharpen the "how it works" steps

Rewritten to match the V3 signer (aifeatures/app/core/utils/crypto.py) exactly: canonical JSON = orjson.dumps(payload, option=OPT_INDENT_2 | OPT_SORT_KEYS) (keys sorted, 2-space indent, raw UTF-8 with non-ASCII not \u-escaped). Also clarifies that the delivered body is compact, so it must be re-serialized into canonical form before hashing.

Header casing fix

X-Edenai-WebhookX-EdenAI-Webhook, matching the exact casing the service sends (WEBHOOK_BASE_HEADERS).

Number-formatting caveat

Adds a warning that a whole-number float (e.g. a 1.0 score) serializes as 1.0 on Eden AI's side but 1 via JavaScript's JSON.stringify, which silently breaks verification.

Verification done

  • End-to-end: signed a sample payload with the exact V3 algorithm and verified it with both the Python and JS example code — passes for ASCII and non-ASCII (café 中文 🚀) payloads.
  • Cross-language canonicalization: V3 orjson output hash == the JS sorted-JSON.stringify hash (byte-identical).
  • Embedded key: loads cleanly in pycryptodome, Node crypto, and openssl (3072-bit, e=65537); fingerprint matches the source key.
  • No runnable Python snippets added, so the snippet test suite is unaffected.

🤖 Generated with Claude Code

Replaces the "ask Eden AI support for the public key" tip with the actual
RSA public key inline (PEM), so integrators can verify webhook signatures
without contacting support. Save it as edenai_webhook_rsa.pub.pem, the file
the Python/JS examples already load.

Also:
- Sharpen the signature steps to match the V3 signer exactly
  (orjson OPT_INDENT_2 | OPT_SORT_KEYS: sorted keys, 2-space indent, raw
  UTF-8, non-ASCII not escaped), and note the delivered body is compact so
  it must be re-serialized into canonical form before hashing.
- Fix the X-EdenAI-Webhook header casing to match what the service sends.
- Add a caveat about cross-language number formatting (whole-number floats
  serialize as 1.0 vs JS 1), which silently breaks verification.

Verified end-to-end: signing with the V3 algorithm and verifying with both
the Python and JS example code passes for ASCII and non-ASCII payloads, and
the embedded key loads in pycryptodome, Node crypto, and openssl.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@tristantelleb, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 47 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 80ba7828-493e-4f40-82ef-56028e2711db

📥 Commits

Reviewing files that changed from the base of the PR and between 5174e81 and 3686410.

📒 Files selected for processing (1)
  • v3/expert-models/webhooks.mdx
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/webhook-signature-public-key

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@mintlify

mintlify Bot commented Jul 10, 2026

Copy link
Copy Markdown

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
edenai 🟢 Ready View Preview Jul 10, 2026, 4:26 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant