In the webhooks microservice, the client's sha_secret should encrypt the webhook payload

[euanmillar]

This is so that the data cannot be intercepted and can only be decrypted by a client that knows the sha_secret

The payload must be encrypted using the webhookToNotify.sha_secret

[euanmillar]

@rikukissa this would be required for the MOSIP integration in Uganda which will be designed in 1.7.0

[rikukissa]

@euanmillar is there more documentation to how this needs to be done (method of encryption...). HTTPS of course does fully encrypt all payloads between our system and the receiving client but I have seen similar arrangements elsewhere

[euanmillar]

@rikukissa I think it's documented in W3C WebSub docs

[rikukissa]

Where is this requirement coming from @euanmillar ? The WebSub specification describes content signing but I couldn't find anything about content encryption