Webhook Signature Verification

Weryfikuj raw body przed parsowaniem JSON. Signature header ma format t=timestamp,v1=hex.

Node.js

import { createHmac, timingSafeEqual } from "node:crypto";

const expected = createHmac("sha256", secret).update(`${timestamp}.${payload}`).digest("hex");
const valid = timingSafeEqual(Buffer.from(expected), Buffer.from(signature));