Webhook signature verification for Fygaro
Project description
fygaro-webhook
Webhook signature verification for Fygaro — pure Python stdlib, zero runtime deps
This helper validates the Fygaro-Signature header of incoming webhooks.
It supports secret rotation (multiple active secrets), deterministic unit‑testing, and is ready for future
hash algorithms.
Installation
pip install fygaro-webhook
Requires Python ≥ 3.8.
Quick start
from fygaro.webhook import FygaroWebhookValidator
validator = FygaroWebhookValidator(
secrets=[
"my-primary-secret", # str or bytes
# "my-previous-secret", # include during rotation windows
],
# max_age=300, # optional (default = 5 min)
)
if not validator.verify_signature(
signature_header=request.headers["Fygaro-Signature"],
body=request.body, # raw bytes exactly as sent
):
raise ValueError("Invalid signature")
# …process JSON, return 200…
API reference
class FygaroWebhookValidator
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
secrets |
Sequence[str | bytes] |
✔ | — | One or more active webhook secrets. Provide all currently valid secrets during a rotation window. Each secret can be a UTF‑8 str or raw bytes. |
max_age |
int |
✖ | 300 |
Maximum allowable clock skew (in seconds) between the timestamp in the header and the server time. A low value mitigates replay attacks |
unsafe_skip_ts_validation |
bool |
✖ | False |
Test only. When True, the timestamp‑freshness check is skipped and a RuntimeWarning is emitted on instantiation. Never enable in production. |
validator.verify_signature(signature_header: str, body: bytes) -> bool
| Argument | Type | Description |
|---|---|---|
signature_header |
str |
The exact value of the incoming Fygaro‑Signature HTTP header. |
body |
bytes |
The unmodified request body (raw bytes). Do not .decode() or re‑serialize. |
Return value:
True— signature is valid and timestamp is withinmax_age(unless skipped).False— signature mismatch, stale timestamp, or malformed header.
Writing deterministic unit tests
To keep fixtures stable you can bypass the timestamp‑freshness check without touching production code:
validator = FygaroWebhookValidator(
secrets=[b"test-secret"],
unsafe_skip_ts_validation=True, # ← test‑only flag
)
The first instance created with unsafe_skip_ts_validation=True emits a
RuntimeWarning to remind you that this path is unsafe for live traffic.
Changelog
See CHANGELOG.md for release notes.
License
MIT © Fygaro — support: support@fygaro.com
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file fygaro_webhook-1.1.0.tar.gz.
File metadata
- Download URL: fygaro_webhook-1.1.0.tar.gz
- Upload date:
- Size: 5.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cc70c32fb1616f25872ad29fdfb68178eb3daa41f9ddf9b1a714c5a3d35f29db
|
|
| MD5 |
9251bdd4cbd1495e99cd5c37ac3106e0
|
|
| BLAKE2b-256 |
f70aa027085997423f324ef3abd7c44e4c51c1780d303068a0d7a07a7881fe14
|
Provenance
The following attestation bundles were made for fygaro_webhook-1.1.0.tar.gz:
Publisher:
webhook-python-release.yml on Fygaro/fygaro-sdks
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
fygaro_webhook-1.1.0.tar.gz -
Subject digest:
cc70c32fb1616f25872ad29fdfb68178eb3daa41f9ddf9b1a714c5a3d35f29db - Sigstore transparency entry: 270795472
- Sigstore integration time:
-
Permalink:
Fygaro/fygaro-sdks@468df62fb4fabdc0906e4c7b8551b2b2e1854625 -
Branch / Tag:
refs/tags/webhook-python-v1.1.0 - Owner: https://github.com/Fygaro
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
webhook-python-release.yml@468df62fb4fabdc0906e4c7b8551b2b2e1854625 -
Trigger Event:
push
-
Statement type:
File details
Details for the file fygaro_webhook-1.1.0-py3-none-any.whl.
File metadata
- Download URL: fygaro_webhook-1.1.0-py3-none-any.whl
- Upload date:
- Size: 6.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
aaa2b4665c5c7983c2468155d3184f0a2def0916787b620bddb4e7d88b5d00f4
|
|
| MD5 |
1a627e66761e947be4c7ecc4961aac45
|
|
| BLAKE2b-256 |
b4aca99f880e693de5f89315a9fe41e070e9ec8d230fcbe5aa51e1c5de716891
|
Provenance
The following attestation bundles were made for fygaro_webhook-1.1.0-py3-none-any.whl:
Publisher:
webhook-python-release.yml on Fygaro/fygaro-sdks
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
fygaro_webhook-1.1.0-py3-none-any.whl -
Subject digest:
aaa2b4665c5c7983c2468155d3184f0a2def0916787b620bddb4e7d88b5d00f4 - Sigstore transparency entry: 270795478
- Sigstore integration time:
-
Permalink:
Fygaro/fygaro-sdks@468df62fb4fabdc0906e4c7b8551b2b2e1854625 -
Branch / Tag:
refs/tags/webhook-python-v1.1.0 - Owner: https://github.com/Fygaro
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
webhook-python-release.yml@468df62fb4fabdc0906e4c7b8551b2b2e1854625 -
Trigger Event:
push
-
Statement type:
