# `StripeManaged.Webhook`
[🔗](https://github.com/safemyprivacy0-bit/stripe_managed/blob/main/lib/stripe_managed/webhook.ex#L1)

Webhook signature verification and event construction.

Stripe signs webhook payloads with HMAC-SHA256. Always verify
signatures before processing events.

## Phoenix integration

    # In your endpoint.ex, add a raw body parser for the webhook route:
    plug Plug.Parsers,
      parsers: [:urlencoded, :multipart, :json],
      pass: ["*/*"],
      body_reader: {CacheBodyReader, :read_body, []},
      json_decoder: Jason

    # In your controller:
    def webhook(conn, _params) do
      payload = conn.assigns.raw_body
      signature = get_req_header(conn, "stripe-signature") |> List.first()

      case StripeManaged.Webhook.construct_event(payload, signature) do
        {:ok, event} -> handle_event(event)
        {:error, msg} -> send_resp(conn, 400, msg)
      end
    end

# `construct_event`

```elixir
@spec construct_event(String.t(), String.t(), keyword()) ::
  {:ok, map()} | {:error, String.t()}
```

Verifies the webhook signature and parses the event payload.

Returns `{:ok, event_map}` or `{:error, reason}`.

Options:
  - `:webhook_secret` - override the configured secret
  - `:tolerance` - max age in seconds (default: 300)

# `verify`

```elixir
@spec verify(String.t(), String.t(), keyword()) :: :ok | {:error, String.t()}
```

Verifies a webhook signature without parsing the payload.
Returns `:ok` or `{:error, reason}`.

---

*Consult [api-reference.md](api-reference.md) for complete listing*