Skip to main content

Module webhooks

Module webhooks 

Source
Expand description

Webhook signature verification — HMAC-SHA256 with constant-time compare.

Rerout signs every delivery as t={unix_seconds},v1={hex_hmac_sha256} where the HMAC is computed over "{timestamp}.{raw_body}" keyed by the endpoint signing secret. This module exposes a single free function that returns true if and only if the signature is valid.

Constants§

DEFAULT_TOLERANCE_SECONDS
Default tolerance window (in seconds) between the t= timestamp and the current time. Five minutes — protects against captured-replay attacks.

Functions§

verify_rerout_signature
Verify a Rerout webhook signature.