Get Webhook Signing Key

curl --request GET \
  --url https://app.uselamina.ai/v1/webhooks/signing-key

{
  "keys": [
    {
      "kty": "OKP",
      "crv": "Ed25519",
      "x": "WR64jqplhAMsH7qC20Mqhm59yZjkiHfzfy6vCMAeIOk",
      "kid": "lamina-webhook-v1",
      "use": "sig",
      "alg": "EdDSA"
    }
  ]
}

Webhooks

Get Webhook Signing Key

Returns the public key used to verify webhook signatures.

When you receive a webhook callback, verify it’s from Lamina by checking the ED25519 signature in the X-Lamina-Webhook-Signature header.

Verification steps:

Get the public key from this endpoint (cache it — it rarely changes)
Reconstruct the signed message: <timestamp>.<raw_body>
Verify the ED25519 signature against the message using the public key

Headers sent with each webhook:

X-Lamina-Webhook-Signature — ED25519 signature (hex-encoded)
X-Lamina-Webhook-Timestamp — Unix timestamp (seconds) when signed
X-Lamina-Webhook-Request-Id — Run ID (for idempotency)
X-Lamina-Webhook-User-Id — User ID that triggered the run
Content-Type: application/json

Retry policy: If your endpoint returns non-2xx or times out (15s), we retry 3 times with backoff: 5s, 30s, 2 minutes. Each retry has a fresh signature.

Replay protection: Reject webhooks with timestamps older than 5 minutes.

The signing key is returned as a JWK. Consume it directly — the x field is a raw 32-byte Ed25519 public key (base64url), not a DER/SPKI blob.

Node.js verification example:

const crypto = require('crypto');

// Fetch once at startup: const { keys } = await fetch('.../v1/webhooks/signing-key').then(r => r.json());
// const PUBLIC_JWK = keys[0];

function verifyLaminaWebhook(rawBody, signatureHex, timestamp, jwk) {
  const publicKey = crypto.createPublicKey({ key: jwk, format: 'jwk' });
  const message = Buffer.from(timestamp + '.' + rawBody);
  const signature = Buffer.from(signatureHex, 'hex');
  return crypto.verify(null, message, publicKey, signature);
}

Python verification example:

import base64
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey

# jwk = requests.get('.../v1/webhooks/signing-key').json()['keys'][0]
# raw = base64.urlsafe_b64decode(jwk['x'] + '==')  # 32-byte Ed25519 public key
# public_key = Ed25519PublicKey.from_public_bytes(raw)

def verify_lamina_webhook(raw_body, signature_hex, timestamp, public_key):
    message = f"{timestamp}.{raw_body}".encode()
    signature = bytes.fromhex(signature_hex)
    public_key.verify(signature, message)  # Raises on failure

GET

webhooks

signing-key

Get Webhook Signing Key

curl --request GET \
  --url https://app.uselamina.ai/v1/webhooks/signing-key

{
  "keys": [
    {
      "kty": "OKP",
      "crv": "Ed25519",
      "x": "WR64jqplhAMsH7qC20Mqhm59yZjkiHfzfy6vCMAeIOk",
      "kid": "lamina-webhook-v1",
      "use": "sig",
      "alg": "EdDSA"
    }
  ]
}

Returns the ED25519 public key for verifying webhook signatures. Cache this key. It rarely changes, and your webhook handler should use it to verify that incoming callbacks are genuinely from Lamina and have not been tampered with.

Response

Public key in JWK format

keys

object[]

Show child attributes

Health Check Agent Integration Patterns

Documentation Index

Response