/ 
Apertur-SDK-0.02
/ Apertur::SDK::Signature

NAME

Apertur::SDK::Signature - Webhook signature verification

SYNOPSIS

use Apertur::SDK::Signature qw(
    verify_webhook_signature
    verify_event_signature
    verify_svix_signature
);

# Image delivery webhook
my $valid = verify_webhook_signature($body, $signature, $secret);

# Event webhook (HMAC method)
my $valid = verify_event_signature($body, $timestamp, $signature, $secret);

# Event webhook (Svix method)
my $valid = verify_svix_signature($body, $svix_id, $timestamp, $signature, $secret);

DESCRIPTION

Provides functions to verify webhook signatures sent by the Apertur API. All comparisons use constant-time algorithms to prevent timing attacks.

FUNCTIONS

verify_webhook_signature($body, $signature, $secret)

Verifies an image delivery webhook. The signature is expected to be in the format sha256=<hex>.

verify_event_signature($body, $timestamp, $signature, $secret)

Verifies an event webhook using the HMAC method. The signed payload is ${timestamp}.${body}.

verify_svix_signature($body, $svix_id, $timestamp, $signature, $secret)

Verifies an event webhook using the Svix method. The signed payload is ${svix_id}.${timestamp}.${body} and the secret is hex-decoded before use. The signature is expected in the format v1,<base64>.