# `Twilio.Webhook`
[🔗](https://github.com/jeffhuen/twilio_elixir/blob/main/lib/twilio/webhook.ex#L1)

Webhook request validation.

Verifies that incoming HTTP requests are genuinely from Twilio
using HMAC-SHA1 signature verification.

## Form-encoded webhooks (standard)

    url = "https://myapp.com/webhooks/twilio"
    signature = get_req_header(conn, "x-twilio-signature") |> List.first()

    Twilio.Webhook.valid?(url, params, signature, auth_token)

## JSON-bodied webhooks

    Twilio.Webhook.valid_body?(url, raw_body, signature, auth_token)

# `build_body_hash`

```elixir
@spec build_body_hash(String.t()) :: String.t()
```

Build the SHA256 hash of a request body (for JSON webhook validation).

# `build_signature`

```elixir
@spec build_signature(String.t(), map(), String.t()) :: String.t()
```

Build the expected HMAC-SHA1 signature for a request.

# `valid?`

```elixir
@spec valid?(String.t(), map(), String.t(), String.t()) :: boolean()
```

Validate an incoming webhook request signature.

Concatenates the URL with sorted POST parameters, computes
HMAC-SHA1 with the auth token, and compares to the signature.

# `valid_body?`

```elixir
@spec valid_body?(String.t(), String.t(), String.t(), String.t()) :: boolean()
```

Validate a webhook with a JSON body.

For JSON-bodied requests, Twilio signs the URL with the body's SHA256 hash
appended as a `bodySHA256` query parameter.

---

*Consult [api-reference.md](api-reference.md) for complete listing*