# `Boldsign.Webhook`
[🔗](https://github.com/neilberkman/boldsign/blob/v0.6.1/lib/boldsign/webhook.ex#L1)

Webhook signature verification for BoldSign.

BoldSign webhooks are configured exclusively via the BoldSign dashboard
(Settings > Webhooks). There is no API for managing webhooks programmatically.

This module provides signature verification so your application can confirm
that incoming webhook payloads genuinely originated from BoldSign.

## Signature format

BoldSign sends a signature header (`x-boldsign-signature`) in the format:

    t=UNIX_TIMESTAMP,s0=HEX_SIGNATURE

The signature is an HMAC-SHA256 of `TIMESTAMP.RAW_BODY` using the webhook
secret from your BoldSign dashboard.

# `verify_signature`

Verifies a BoldSign webhook signature.

Parses the `t=TIMESTAMP,s0=SIGNATURE` header, computes the expected
HMAC-SHA256 of `TIMESTAMP.RAW_BODY`, and compares against the provided
hex-encoded signature using constant-time comparison.

Returns `true` if the signature is valid, `false` otherwise.

## Parameters

  * `raw_body` - The raw request body as a binary string
  * `signature_header` - The value of the `x-boldsign-signature` header
  * `secret` - Your webhook secret from the BoldSign dashboard

## Example

    signature_header = "t=1617180024,s0=6a2e..."
    Boldsign.Webhook.verify_signature(raw_body, signature_header, secret)

---

*Consult [api-reference.md](api-reference.md) for complete listing*