Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions developers/interactions/overview.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,56 @@ try:
except BadSignatureError:
abort(401, 'invalid request signature')
```

**Java**

@markmandel markmandel Jun 29, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Definitely not against having multiple code examples, but if we do this, we should use Code Groups:
https://www.mintlify.com/docs/components/code-groups

WDYT @anthonydiscord ? we want multiple code versions?

Edit: we actually want code groups.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As there is regular text, I have to move it to the code as comments if we do want to use code groups, but then it looks much worse 😬


We will use `tink-java` ([`com.google.crypto.tink:tink:1.22.0`](https://mvnrepository.com/artifact/com.google.crypto.tink/tink/1.22.0)), the minimum Java version required is 11.

Using the provided class:

```java
import com.google.crypto.tink.subtle.Ed25519Verify;
import com.google.crypto.tink.subtle.Hex;

import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;

public class Ed25519WebhookVerifier {
private final Ed25519Verify verifier;

public Ed25519WebhookVerifier(String publicKey) {
this.verifier = new Ed25519Verify(Hex.decode(publicKey));
}

public boolean verify(String signature, String timestamp, String body) {
try {
verifier.verify(Hex.decode(signature), (timestamp + body).getBytes(StandardCharsets.UTF_8));
return true;
} catch (GeneralSecurityException e) {
return false;
}
}
}
```

Verify your interactions with:

```java
// Your public key can be found on your application in the Developer Portal
var verifier = new Ed25519WebhookVerifier("PUBLIC_KEY");

// Get those from your favorite web server library
// The "X-Signature-Ed25519" header
String signature;
// The "X-Signature-Timestamp" header
String timestamp;
// Request body
String body;
if (!verifier.verify(signature, timestamp, body)) {
// Signature is invalid, return an HTTP 401 response
throw new UnsupportedOperationException("Return a HTTP 401 response");
}
```
</Accordion>

In addition to ensuring your app validates security-related request headers at the time of saving your endpoint, Discord will also perform automated, routine security checks against your endpoint, including purposefully sending you invalid signatures. If you fail the validation, we will remove your interactions URL and alert you via email and System DM.
Expand Down