Skip to content

Notifications

bidkit.notifications

Verify inbound eBay push notifications (Notification API).

eBay signs every push notification — including the mandatory marketplace-account-deletion notifications — with an ECDSA key identified by the x-ebay-signature request header: a Base64-encoded JSON object {"alg": "ecdsa", "kid": "<key id>", "signature": "<Base64 DER ECDSA>", "digest": "SHA1"}. The matching public key comes from the Notification API's getPublicKey endpoint and should be cached (eBay recommends about an hour).

The signature covers the raw request body bytes — verify before parsing, and never against a re-serialized payload.

Typical endpoint (framework-agnostic)::

verifier = NotificationVerifier(client)

# GET ?challenge_code=... -> endpoint validation
return 200, challenge_response(challenge_code, VERIFICATION_TOKEN, ENDPOINT_URL)

# POST -> notification delivery
if verifier.verify(raw_body, request.headers["x-ebay-signature"]):
    return 204          # acknowledged
return 412              # eBay retries on Precondition Failed

NotificationVerifier

Bases: _VerifierBase

Verifies eBay push-notification signatures using an :class:EbayClient.

Application credentials suffice (the public key is fetched with a client-credentials token on the base scope; a user-token client is scoped down automatically). verify returns False for a bad or malformed signature — respond 412; it raises only on operational failures (key fetch, unsupported key type) — respond 500 and let eBay retry.

AsyncNotificationVerifier

Bases: _VerifierBase

Async counterpart of :class:NotificationVerifier for :class:AsyncEbayClient.

challenge_response(challenge_code, verification_token, endpoint)

The body eBay expects back from the endpoint-validation GET ?challenge_code=….

The hash input order is fixed by eBay: challenge code, then your verification token, then the endpoint URL exactly as registered. Return it as JSON with a 200 status and Content-Type: application/json.