Function verify_headers 

pub fn verify_headers(
    secrets: &[&WebhookSecret],
    headers: &HeaderMap,
    body: &[u8],
    tolerance: Duration,
) -> Result<()>

Parse Standard Webhooks headers from an incoming request and verify the signature.

Reads webhook-id, webhook-timestamp, and webhook-signature from headers. Validates that the timestamp is within tolerance of now (replay-attack protection), then tries every v1, signature entry against every secret in secrets. Returns Ok(()) as soon as one combination matches; returns an error if none does.

Errors

Returns Error when:

• Any of the three required headers (webhook-id, webhook-timestamp, webhook-signature) is missing or not valid UTF-8 (400 Bad Request)
• webhook-timestamp is not a valid integer (400 Bad Request)
• The timestamp is outside the tolerance window (400 Bad Request)
• No signature entry matches any provided secret (400 Bad Request)