HookSniff.WebhookVerification (HookSniff v0.2.0)

Copy Markdown View Source

Webhook signature verification for HookSniff.

Supports both simple HMAC-SHA256 verification and Standard Webhooks (Svix-compatible) verification with timestamp tolerance.

Also supports Svix headers (svix-id, svix-signature, svix-timestamp) as fallback.

Example

# Verify from request headers
result = HookSniff.WebhookVerification.verify_webhook_from_headers(
  payload: body,
  headers: conn.req_headers |> Map.new(),
  secret: "whsec_..."
)

case result do
  {:ok, payload} -> # Valid webhook
  {:error, reason} -> # Invalid
end

Summary

Functions

verify_signature(payload, signature, secret)

Verify a webhook signature using HMAC-SHA256 (legacy format).

verify_webhook(opts)

Verify a webhook using Standard Webhooks headers (Svix-compatible).

verify_webhook_from_headers(opts)

Verify a webhook from headers with automatic header detection.

Functions

verify_signature(payload, signature, secret)

@spec verify_signature(String.t(), String.t(), String.t()) :: boolean()

Verify a webhook signature using HMAC-SHA256 (legacy format).

verify_webhook(opts)

@spec verify_webhook(keyword()) :: {:ok, map() | String.t()} | {:error, String.t()}

Verify a webhook using Standard Webhooks headers (Svix-compatible).

Returns {:ok, parsed_payload} or {:error, reason}.

verify_webhook_from_headers(opts)

@spec verify_webhook_from_headers(keyword()) ::
  {:ok, map() | String.t()} | {:error, String.t()}

Verify a webhook from headers with automatic header detection.

Supports both Standard Webhooks headers (webhook-id, webhook-signature, webhook-timestamp) and Svix headers (svix-id, svix-signature, svix-timestamp) as fallback.