Twilio.Webhook (twilio_elixir v0.1.1)

Copy Markdown View Source

Webhook request validation.

Verifies that incoming HTTP requests are genuinely from Twilio using HMAC-SHA1 signature verification.

Form-encoded webhooks (standard)

url = "https://myapp.com/webhooks/twilio"
signature = get_req_header(conn, "x-twilio-signature") |> List.first()

Twilio.Webhook.valid?(url, params, signature, auth_token)

JSON-bodied webhooks

Twilio.Webhook.valid_body?(url, raw_body, signature, auth_token)

Summary

Functions

build_body_hash(body)

Build the SHA256 hash of a request body (for JSON webhook validation).

build_signature(url, params, auth_token)

Build the expected HMAC-SHA1 signature for a request.

valid?(url, params, signature, auth_token)

Validate an incoming webhook request signature.

valid_body?(url, body, signature, auth_token)

Validate a webhook with a JSON body.

Functions

build_body_hash(body)

@spec build_body_hash(String.t()) :: String.t()

Build the SHA256 hash of a request body (for JSON webhook validation).

build_signature(url, params, auth_token)

@spec build_signature(String.t(), map(), String.t()) :: String.t()

Build the expected HMAC-SHA1 signature for a request.

valid?(url, params, signature, auth_token)

@spec valid?(String.t(), map(), String.t(), String.t()) :: boolean()

Validate an incoming webhook request signature.

Concatenates the URL with sorted POST parameters, computes HMAC-SHA1 with the auth token, and compares to the signature.

valid_body?(url, body, signature, auth_token)

@spec valid_body?(String.t(), String.t(), String.t(), String.t()) :: boolean()

Validate a webhook with a JSON body.

For JSON-bodied requests, Twilio signs the URL with the body's SHA256 hash appended as a bodySHA256 query parameter.