When making an API call to /user/:userid/monetary-account to fetch a list of monetary accounts, I get a response from the Bunq API that includes an X-Bunq-Server-Signature header, but when attempting to verify the signature with the public key that I acquired in the POST /installation endpoint, verifying the signature fails.
The code itself seems to work fine, as I use the same logic for verifying the server signature when fetching an access token, and that signature passes verification as expected.
Does bunq use a different RSA keypair for endpoints such as /user/:userid/monetary-account? if yes, where can I find the public key to verify these signatures?
For completeness, here's the code I currently use for verifying the server signature:
private bool VerifyResponseSignature(string content, string signature)
{
var contentBytes = Encoding.UTF8.GetBytes(content);
var signatureBytes = Convert.FromBase64String(signature);
var rsa = RSA.Create();
rsa.ImportFromPem(_bunqConfig.BunqPublicKey);
return rsa.VerifyData(contentBytes, signatureBytes, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
}
