# `Codat.Webhooks.Verifier`
[🔗](https://github.com/iamkanishka/codat.git/blob/v1.0.0/lib/codat/webhooks/verifier.ex#L1)

Verify the authenticity and integrity of incoming Codat webhook payloads.

Codat signs deliveries using the Svix HMAC-SHA256 standard.
Verification covers authenticity, integrity, and replay protection.

## Usage

    case Codat.Webhooks.Verifier.verify(secret, raw_body, headers) do
      :ok -> # authentic and recent — process the event
      {:error, :invalid_signature} -> # reject — not from Codat
      {:error, :expired} -> # reject — possible replay attack
      {:error, :missing_headers} -> # reject — required headers absent
    end

# `verify_error`

```elixir
@type verify_error() ::
  :missing_headers
  | :invalid_signature
  | :expired
  | :invalid_timestamp
  | :invalid_secret
```

# `verify`

```elixir
@spec verify(String.t(), binary(), map() | list(), keyword()) ::
  :ok | {:error, verify_error()}
```

Verifies a Codat webhook payload against its signature headers.

## Options

- `:tolerance` — max age in seconds (default: 300)
- `:now` — override the current timestamp for testing (Unix seconds)

# `verify!`

```elixir
@spec verify!(String.t(), binary(), map() | list(), keyword()) :: :ok
```

Like `verify/4` but raises `Codat.Webhooks.VerificationError` on failure.

---

*Consult [api-reference.md](api-reference.md) for complete listing*