Public keys
A public key is a cipher that allows you to verify if the source of the callback notification is valid and from a secure J.P. Morgan system.
How it works
- You retrieve the public key information using
GET /public-keys.- The
GET /public-keysreponse is in JSON Web Key Set (JWKS) format. - The public key expires in 365 days. You must perform this step again when it expires.
- The
- You build the public key using the information you retrieved and store it at your end.
- Every time a notification event occurs and a callback notification is sent to you, it is digitally signed in the response header.
- You verify the signature using the public key to confirm the authenticity of the callback notification.
The following is an example of how you can retrieve the public key information.
HTTP method: GET
Endpoint: /public-keys
Scenario: Retrieving a public key
Json
{
"keys": [
{
"kid": "6599834191ad40b79a309d7a4702a1db",
"kty": "RSA",
"n": "0A6tY59w6ue-V54Abtvju7xcHyYdLGnbTyf2YvmFk9-D08ImUkrzVH4eANVzR-9ch3Ih3WvXqe52h1mtKLnAxlb4elg5WRMEJdEatUKyWRKJyiop4x7bk3b2OlTTqm83SITrLqp4BE35H05BQ1bPBFoSZLz3i2xQNzV4cOUOfdplR4iGiFrkUna1C9nGmgXcPayT-S6DasoKF_rhvoruoDXgitK6IjuIBBCe3Lt4XGK1_EJr4WTqTBlbnFD7WMqHMnXqQuXw6MgOTn5dstOOXIr8gqFaTtxyGDPWx4DMR4n4kd0VdYYHmQhumm5kKHzP0l6a1WKJHu0IdP45F-Bk5o61MMYvpzgTiEwcjOu70IrVZxx_DCZ9uE9KUBHjsnAkvwwY21waB6llNWBm4oLmGLbBb7IVP-enwFipFqsv9A_CWhu-gigyf6HIKJuvtFT3bD1n5LRFVoC-y_FAJs0vettPAwuTfWfjvzcPkV58wSdg4ulflgRAjgwB_eDE52cB",
"e": "AQAB",
"use": "sig",
"exp": "2025-10-23T11:30:25.477Z"
},
{
"kid": "4d56e5f1db9a430e8dd8b5d916aa72e9",
"kty": "EC",
"crv": "P-256",
"x": "qNB5v_fJaN69N0EQU_ERDeGEjzGs7MWIXeXD1gKCPl0",
"y": "msXtGZRc_qHXYMjI0AaJNAJ-lrf8hhpLPoDa7XSZZoM",
"use": "sig",
"exp": "2026-02-21T13:15:28.755Z"
}
]
}