Expand description
Webhook signature verification — HMAC-SHA256 with constant-time compare.
Rerout signs every delivery as t={unix_seconds},v1={hex_hmac_sha256}
where the HMAC is computed over "{timestamp}.{raw_body}" keyed by the
endpoint signing secret. This module exposes a single free function that
returns true if and only if the signature is valid.
Constants§
- DEFAULT_
TOLERANCE_ SECONDS - Default tolerance window (in seconds) between the
t=timestamp and the current time. Five minutes — protects against captured-replay attacks.
Functions§
- verify_
rerout_ signature - Verify a Rerout webhook signature.