Algorithms
Kayle encrypts withRSA-OAEP-256. Register an RSA public JWK; Kayle generates a fresh content-encryption key per delivery, wraps it with your public key, and emits a compact JWE. The HTTP request carries Content-Type: application/jose.
Register a key
id (whk_...). The key_id you supplied is what appears in the delivered JWE’s kid header so your server can pick the matching private key when more than one is in rotation.
A new key is created with is_active: true and is used immediately for new deliveries.
Generate a key pair
You need a 2048-bit (or larger) RSA key pair with the public key encoded as a JWK:jose CLI, or any JWK utility you prefer). Submit the JWK with alg: "RSA-OAEP-256", use: "enc", and a kid you choose.
Store the private key in your secret manager. Kayle never sees it.
Decrypting
Use any JWE library that supports compact serialization andRSA-OAEP-256. Verify X-Kayle-Signature against the JWE string Kayle sent before decrypting — the signature covers the encrypted body. See Verifying signatures.
Node.js
Rotating keys
Register the new key withis_active: true. New deliveries use it immediately. To preserve the ability to decrypt deliveries that fired against the previous key, leave the previous key registered and call POST /v1/webhooks/keys/:key_id/deactivate to mark it inactive — Kayle won’t encrypt new payloads to it, but you can still hold its private key to decrypt history.
Only one key per endpoint should be active at a time. If you reactivate an old key while another is also active, the active key picked for a given delivery is undefined.