Boldsign.Webhook (Boldsign v0.6.1)

Copy Markdown View Source

Webhook signature verification for BoldSign.

BoldSign webhooks are configured exclusively via the BoldSign dashboard (Settings > Webhooks). There is no API for managing webhooks programmatically.

This module provides signature verification so your application can confirm that incoming webhook payloads genuinely originated from BoldSign.

Signature format

BoldSign sends a signature header (x-boldsign-signature) in the format:

t=UNIX_TIMESTAMP,s0=HEX_SIGNATURE

The signature is an HMAC-SHA256 of TIMESTAMP.RAW_BODY using the webhook secret from your BoldSign dashboard.

Summary

Functions

verify_signature(raw_body, signature_header, secret)

Verifies a BoldSign webhook signature.

Functions

verify_signature(raw_body, signature_header, secret)

Verifies a BoldSign webhook signature.

Parses the t=TIMESTAMP,s0=SIGNATURE header, computes the expected HMAC-SHA256 of TIMESTAMP.RAW_BODY, and compares against the provided hex-encoded signature using constant-time comparison.

Returns true if the signature is valid, false otherwise.

Parameters

  • raw_body - The raw request body as a binary string
  • signature_header - The value of the x-boldsign-signature header
  • secret - Your webhook secret from the BoldSign dashboard

Example

signature_header = "t=1617180024,s0=6a2e..."
Boldsign.Webhook.verify_signature(raw_body, signature_header, secret)