Public keys

Nopan signs every API response with its private key. To verify those signatures, you need Nopan's corresponding public key. Each environment (sandbox and production) has its own key pair, so the keys are isolated between testing and production traffic.

You can find them in JSON Web Key Set (JWKS) format here:

• sandbox
• production

You can also download them in PEM format from the sandbox or production Portal.

info

The kid field in each key (e.g. nopan-sandbox, nopan-production) matches the keyid value in Nopan's Signature-Input response header — use it to select the correct key for verification.

Cache the key and refresh it every 24 hours.

For a step-by-step guide on how to use these keys to verify Nopan responses, see Response Validation.