Constant-time HMAC-SHA256 signature verification for incoming Tink webhooks.
Tink signs payloads with the secret configured in your app settings. The
signature arrives in the X-Tink-Signature request header as a lowercase
hex digest.
Phoenix / Plug usage
defmodule MyAppWeb.TinkWebhookController do
use MyAppWeb, :controller
def handle(conn, _params) do
with {:ok, body, conn} <- Plug.Conn.read_body(conn),
[sig | _] <- Plug.Conn.get_req_header(conn, "x-tink-signature"),
:ok <- Tink.WebhookVerifier.verify_with_config(body, sig),
{:ok, event} <- Jason.decode(body) do
Tink.WebhookHandler.dispatch(event)
send_resp(conn, 200, "ok")
else
[] -> send_resp(conn, 401, "missing signature")
{:error, reason} -> send_resp(conn, 401, reason)
end
end
endSummary
Functions
Verify a raw body against a signature using the provided secret.
Verify an incoming Plug.Conn webhook request.
Verify using the webhook secret from application config.
Functions
Verify a raw body against a signature using the provided secret.
@spec verify_plug(Plug.Conn.t(), String.t() | nil) :: :ok | {:error, String.t()}
Verify an incoming Plug.Conn webhook request.
Verify using the webhook secret from application config.