Cobo signs each response(HTTP response & Callback push)with ECDSA signature, the signed message is in HTTP Header: BIZ_TIMESTAMP, BIZ_RESP_SIGNATURE, you may verify the signature to ensure it’s from Cobo, refer to the samples in Client demo:

If you want to check Cobo pubkey to verify Cobo signature, please go to: Web management platform - Wallet - API Callback. (NOTICE they’re different in Development&Production environment)