Codat.Webhooks.Verifier (codat v1.0.0)

Copy Markdown View Source

Verify the authenticity and integrity of incoming Codat webhook payloads.

Codat signs deliveries using the Svix HMAC-SHA256 standard. Verification covers authenticity, integrity, and replay protection.

Usage

case Codat.Webhooks.Verifier.verify(secret, raw_body, headers) do
  :ok -> # authentic and recent — process the event
  {:error, :invalid_signature} -> # reject — not from Codat
  {:error, :expired} -> # reject — possible replay attack
  {:error, :missing_headers} -> # reject — required headers absent
end

Summary

Types

verify_error()

Functions

verify(secret, raw_body, headers, opts \\ [])

Verifies a Codat webhook payload against its signature headers.

verify!(secret, raw_body, headers, opts \\ [])

Like verify/4 but raises Codat.Webhooks.VerificationError on failure.

Types

verify_error()

@type verify_error() ::
  :missing_headers
  | :invalid_signature
  | :expired
  | :invalid_timestamp
  | :invalid_secret

Functions

verify(secret, raw_body, headers, opts \\ [])

@spec verify(String.t(), binary(), map() | list(), keyword()) ::
  :ok | {:error, verify_error()}

Verifies a Codat webhook payload against its signature headers.

Options

  • :tolerance — max age in seconds (default: 300)
  • :now — override the current timestamp for testing (Unix seconds)

verify!(secret, raw_body, headers, opts \\ [])

@spec verify!(String.t(), binary(), map() | list(), keyword()) :: :ok

Like verify/4 but raises Codat.Webhooks.VerificationError on failure.