Summary
Implement JWT verification for incoming webhooks and return redirects from Montonio. This is the counterpart to #12 (outgoing request signing).
When Montonio sends a webhook notification or redirects the customer back, the payload includes a JWT signed with the merchant's secret key. The SDK should verify these tokens.
Requirements
- Verify HS256 signature using the configured secret key
- Validate standard claims (
exp, iat)
- Extract and deserialize the payload claims into typed Java objects
- Reject expired or tampered tokens with
MontonioAuthenticationException
Context
The JWT authentication implementation (#12) covers outgoing request signing. This issue covers the incoming direction — verifying that webhooks and return URLs actually came from Montonio.
Refs
- CLAUDE.md — mentions "JWT webhook/return validation" as a project goal
Summary
Implement JWT verification for incoming webhooks and return redirects from Montonio. This is the counterpart to #12 (outgoing request signing).
When Montonio sends a webhook notification or redirects the customer back, the payload includes a JWT signed with the merchant's secret key. The SDK should verify these tokens.
Requirements
exp,iat)MontonioAuthenticationExceptionContext
The JWT authentication implementation (#12) covers outgoing request signing. This issue covers the incoming direction — verifying that webhooks and return URLs actually came from Montonio.
Refs