Signature signing and verification per the Standard Webhooks spec.
This is a small re-implementation of the algorithm described at https://www.standardwebhooks.com/, mirroring the public surface of the upstream Elixir reference at https://github.com/standard-webhooks/standard-webhooks/tree/main/libraries/elixir.
Vendored to remove a git-only dependency that blocked Hex publish.
Summary
Functions
Signs a payload and returns a v1,<base64-signature> header value.
Raises if timestamp is outside the 5-minute tolerance window. Returns :ok.
Verifies a payload against the signatures present on conn.
Functions
Signs a payload and returns a v1,<base64-signature> header value.
id— webhook message id (string)timestamp— unix seconds (integer)payload— map; JSON-encoded internallysecret— raw HMAC secret bytes, OR a base64 string, OR awhsec_<base64>string
@spec validate_timestamp(integer()) :: :ok
Raises if timestamp is outside the 5-minute tolerance window. Returns :ok.
@spec verify(map(), Plug.Conn.t(), binary()) :: boolean()
Verifies a payload against the signatures present on conn.
Reads webhook-id, webhook-timestamp, and webhook-signature headers and
returns true when at least one signature matches. Raises ArgumentError
when required headers are missing.