Skip to main content
Message signing and signature validation is mandatory for all requests and responses. This ensures message authenticity, integrity, and non-repudiation.

Security Architecture

The platform enforces a two-layer security approach:

Request Signing

All outgoing requests must be digitally signed before transmission

Response Validation

All incoming responses must have their signatures verified before processing

Why Signing is Required

Digital signatures prove that the request originated from an authorized party with access to the private key.
Any modification to the signed content invalidates the signature, ensuring data hasn’t been tampered with in transit.
The sender cannot deny having sent a signed message, providing an audit trail for all transactions.
The Request-Time header prevents old requests from being replayed by attackers.

Key Management

Key Requirements

RequirementSpecification
AlgorithmRSA with SHA-256 (RSA256)
Key Size2048 bits minimum
FormatPEM or PKCS#8

Key Pair Setup

1

Generate Key Pair

Generate a 2048-bit RSA key pair using OpenSSL or your preferred tool
# Generate private key
openssl genrsa -out private_key.pem 2048

# Extract public key
openssl rsa -in private_key.pem -pubout -out public_key.pem
2

Share Public Key

Provide your public key to Rebell during onboarding. This key will be used to verify your request signatures.
3

Receive Platform Public Key

Receive Rebell’s public key to verify response signatures.
4

Secure Storage

Store your private key securely. Never expose it in client-side code or version control.

Security Best Practices

Private Key Security: Your private key should never be exposed. If you suspect your private key has been compromised, contact Rebell support immediately to rotate your keys.

Implementation Guide

For detailed implementation instructions, see:

Call an API via Signing

Step-by-step guide to signing requests and validating responses