On This Page
FILTER BY TAG

Set Up Your Security

There are a variety of security options for Webhooks. This section provides an overview of the security options, with links to the instructions for using them.

Mutual Trust

All Webhooks integrations must use mutual trust by adding
Cybersource
 to your allowlist and by trusting the root certificate.
Allowlist
Add these IP addresses to your allowlist to permit
Cybersource
 to deliver your webhook notifications:
  • 198.241.206.21
  • 198.241.207.21
Trusting the Root Certificate
Download the
Visa Corporate Root CA G2
 certificate from the Visa Public Key Infrastructure webpage, and add it to your Java keystore:
http://enroll.visaca.com
.

API Keys

REST API requests must use API Keys. All Webhooks requests require a shared secret key pair. Requests to create a subscription using OAuth with JWT
also
 require a P12 Certificate. For instructions, see Create a REST API Key.

Digital Signature Key

You must create a digital signature key in order for
Cybersource
 to send notifications to your servers. For instructions, see Create a Digital Signature Key.

OAuth and OAuth with JWT

In addition to mutual trust, you can also use the OAuth or OAuth with Java Web Token (JWT). You must provide your OAuth credentials and use the appropriate request fields for your security policy. See (Optional) Provide Your OAuth Credentials and Create a Webhook Subscription.

Message-Level Encryption

Message-level encryption is required for some products and events. For instructions, see Message-Level Encryption.