ClearBank.Webhook.Verifier (ClearBank v1.0.0)

Copy Markdown View Source

Verifies the DigitalSignature on inbound ClearBank webhooks.

ClearBank signs webhook bodies with their private key. You must verify this signature using ClearBank's public key, downloaded from the Portal under Webhook Management > Download Public Key.

Usage

# At startup, load ClearBank's public key
pub_key_pem = File.read!("clearbank_webhook_public_key.pem")

# In your webhook endpoint handler
raw_body = conn.assigns[:raw_body]  # capture before any parsing
signature = Plug.Conn.get_req_header(conn, "digitalsignature") |> List.first()

case ClearBank.Webhook.Verifier.verify(raw_body, signature, pub_key_pem) do
  :ok ->
    # Signature valid — proceed to parse and process
    {:ok, webhook} = ClearBank.Webhook.parse(Jason.decode!(raw_body))
    process(webhook)

  {:error, :invalid_signature} ->
    # Reject — do not process
    conn |> send_resp(401, "") |> halt()
end

Summary

Functions

verify(body, signature_b64, public_key_pem)

Verifies a webhook's DigitalSignature header.

Functions

verify(body, signature_b64, public_key_pem)

@spec verify(
  body :: iodata(),
  signature_b64 :: String.t(),
  public_key_pem :: binary()
) ::
  :ok | {:error, :invalid_signature | :bad_encoding}

Verifies a webhook's DigitalSignature header.

Returns :ok or {:error, :invalid_signature | :bad_encoding}.