Generates and verifies Rapyd HMAC-SHA256 request signatures.
Request Signing
Every API request must carry three headers built from the signature:
access_key— your Rapyd access keysalt— a random 8-byte hex string (16 chars), unique per requesttimestamp— current Unix epoch in secondssignature—BASE64(HMAC-SHA256(lower(method) + path + salt + timestamp + access_key + secret_key + body))
Webhook Verification
Incoming Rapyd webhooks are signed with the same algorithm but without a method prefix:
BASE64(HMAC-SHA256(http_body + salt + timestamp + access_key + secret_key))Call verify_webhook/4 to authenticate an inbound event.
Summary
Functions
Compute the three signing headers needed for an authenticated API request.
Verify the HMAC-SHA256 signature on an inbound Rapyd webhook.
Functions
@spec sign_request( method :: atom() | String.t(), path :: String.t(), body :: iodata(), access_key :: String.t(), secret_key :: String.t() ) :: {salt :: String.t(), timestamp :: String.t(), signature :: String.t()}
Compute the three signing headers needed for an authenticated API request.
Returns {access_key, salt, timestamp_string, signature_base64}.
Parameters
method— HTTP method atom or string, e.g.:getor"POST"path— request path including query string, e.g."/v1/payments"body— request body as an iodata-compatible value; pass""for GETaccess_key— Rapyd access keysecret_key— Rapyd secret key
@spec verify_webhook( raw_body :: iodata(), salt :: String.t(), timestamp :: String.t(), received_sig :: String.t(), access_key :: String.t(), secret_key :: String.t() ) :: :ok | {:error, Rapyd.Error.t()}
Verify the HMAC-SHA256 signature on an inbound Rapyd webhook.
Uses constant-time comparison to prevent timing attacks.
Returns :ok or {:error, %Rapyd.Error{type: :webhook_signature}}.