# Verifying a JWS Signed Message source: https://developer.mastercard.com/account-to-account-commerce-for-csp/documentation/tutorials-and-guides/jws-guide/verifying-jws-signed-message/index.md ## Verify a JWS signed message {#verify-a-jws-signed-message} This section describes the steps to verify the signature of a message signed using JWS. Note: Please note the code samples on this page are pseudo-code rather than deriving from any specific language or technology. #### 1. Extract the components from JWS {#1-extract-the-components-from-jws} The elements of `X-JWS-Signature` are separated by period. The following is a X-JWS-Signature Elements sample: `X-JWS-Signature=..` The verifier decodes the JOSE header and signature from the JWS specified in the HTTP header `X-JWS-Signature`. #### 2. Validate the JOSE header and certificate {#2-validate-the-jose-header-and-certificate} The verifier performs the following: * Validates that the JOSE header is a valid JSON object. * Ensures that the `alg` specified is PS256. * Ensures that the `iat` claim exists and that its value is a date and time in the past. * Ensures that the `crit` claim contains the iat claim in it. * Ensures that the `kid` is valid and a public key with the specified kid can be retrieved from the trust store. #### 3. Verify the signature {#3-verify-the-signature} As per the specifications defined in [RFC 7515 - Appendix F](https://tools.ietf.org/html/rfc7515#appendix-F), in case of detached content, the verifier can re-insert the BASE64URL(jws-payload) in the `X-JWS-Signature` and verify the signature as normal. ```Plain IF API HTTP Method is GET Then = Example : For Request URL as https://domain-url/zapp/pbarfp/csp/debtor-service-providers?category_purpose=MTOM&feature=AOF, jws-payload = /zapp/pbarfp/csp/debtor-service-providers?category_purpose=MTOM&feature=AOF ELSE = ``` The verifier should process the payload only if the integrity of the payload is asserted by signature verification in the procedure described above. ### Sample signed request {#sample-signed-request} ```plain POST /payments HTTP/1.1 Content-Type: application/json Accept: application/json X-Request-ID: b4ea4195-5bfd-429a-abb6-860c6229c3b8 X-Participant-ID: 100023 X-Product-ID: PBARFP X-JWS-Signature: eyJhbGciOiJSUzI1NiIsImtpZCI6ImRQRHNDK01TL1IvNFdNTEcvVkFmeCtEVUZUWT0iLCJpYXQiOiIxNjEwMDQ5MTkyIiwiY3JpdCI6WyJpYXQiXX0..fDGLrG9K2ui-lN65ohb-cpffjJCRTwIHsr2TJ5RUbey4Ns95ZeTgLCsBnQ84nb4yJXm7_U8Ic2aES6gxQQoJvg6vvgs9tWZW9R5mvlUBYMfOHbjTin2984T5HpZzrDrOIqEbeI18CNLjqSHaUCt0c_S6KBx0CxQ6sHXkX1X2BrCsVbgwzPoY42bGFEiKLmP8VGjd1TPzCdv7gAzamXy46aE7QF7u5Nzphr1cyVJPtVAJ4DMK-ttQwG-6PT3rqwJwf-NU_XOETnMnjQi_9HCisLC55miiKeQW1MLuIYzQv36PFQgzpnr9iqDS0k9oX1KZ8XHEi60smvOR7CnDzQ { "messageInformation": { "messageId": "d9ec6ef56d5c4d7b98493c4300c272a6", ... }, ... } ``` ### Sample signed response {#sample-signed-response} ```plain HTTP/1.1 200 OK Content-Type: application/json Content-Length: 951 X-Request-ID: b4ea4195-5bfd-429a-abb6-860c6229c3b8 X-Participant-ID: 100023 X-Product-ID: PBARFP X-JWS-Signature: eyJhbGciOiJSUzI1NiIsImtpZCI6ImVOVGNCK01TL1IvNFdNTEcvVkFmeCtTRlVCUT0iLCJpYXQiOiIxNjEwMDQ5MTk5IiwiY3JpdCI6WyJpYXQiXX0=..gHGLrK9K2ui-lN65opb-cjefjJCRTwIHwr5TJ5RUbey4Ns95ZeTgLCsBnQ84nb4yJXm7_U8Ic2aES6gxQQoJvg6vvgs9tWZW9R5mvlUBYMfOHbjTin2984T5HpZzrDrOIqEbeI18CNLjqSHaUCt0c_S6KBx0CxQ6sHXkX1X2BrCsVbgwzPoY42bGFEiKLmP8VGjd1TPzCdv7gAzamXy46aE7QF7u5Nzphr1cyVJPtVAJ4DMK-ttQwG-6PT3rqwJwf-NU_XOETnMnjQi_9HCisLC55miiKeQW1MLuIYzQv36PFQgzpnr9iqDS0k9oX1KZ8XHEi60smvOR7CnUiS { "messageInformation": { "messageId": "46f167ec51b211ebae930242ac130002", "originalMessageId": "d9ec6ef56d5c4d7b98493c4300c272a6", ... }, "statusInformation": { "transactionStatus": "RCVD" }, ... } ```