# Validate Requests

<mark style="color:orange;">Every outgoing request we signed with your JWT Secret key. You need to validate received token.</mark>

### Validate Token

In each request you will receive two headers in the HTTP header :

* `X-Signature` JWT Token. Has format [JWT Tokens](https://jwt.io/), Token encription method is `HS256`
* `X-Time` - Time of request. Has format RFC3339. Like: `2006-01-02T15:04:05Z07:00`

#### Example for validate:

Validate Signature on PHP. For example used [Firebase JWT php-jwt](https://github.com/firebase/php-jwt)

```php
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
use Firebase\JWT\SignatureInvalidException;

$key = 'Your JWT Secret key';

//Time received from request in header X-Time
$time = '2024-01-02T15:04:05Z07:00';
//JWT received from request in header X-Signature
$jwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzaWduIjoiMmUzY2I5NzI2ZjIxZmEzYTI2NmFkMWQ3M2Y0YzIzZTIifQ.HF5ANJowoPL0fOISqMjbz7kmq2Zz0QvBLNyeSF-0efc';
//Raw body received from incoming request
$jsonBody = '{"sample":"incoming request body"}';

$message = $time + $body;
//Hashing by MD5. You get is 2e3cb9726f21fa3a266ad1d73f4c23e2 value
$hash = md5($message);

try {
    $decoded = JWT::decode($jwt, new Key($key, 'HS256'));
} catch (SignatureInvalidException $e) {
    // provided JWT signature verification failed.
    throw $e
} catch (\Exception $e) {
    throw $e
}

/*
  Decode result must be contains object
  {
    "sign": "2e3cb9726f21fa3a266ad1d73f4c23e2"
  }
*/
echo "Decode:\n" . print_r((array) $decoded, true) . "\n";

//Here logic of comparison of the received md5 hash 
//and the hash generated by you from incoming request 
if ($hash != $decoded->sign) {
    throw new InvalidRequestException("Incoming signature invalid");
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.delos.financial/webhooks/validate-requests.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.