Webhook signature verification for Fygaro

Navigation

Verified details

These details have been verified by PyPI
Owner

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT License)
  • Author: Fygaro
  • Tags fygaro , webhook , signature
  • Requires: Python >=3.8
Classifiers
Report project as malware

Project description

fygaro-webhook

Webhook signature verification for Fygaro — pure Python stdlib, zero runtime deps

This helper validates the Fygaro-Signature header of incoming webhooks. It supports secret rotation (multiple active secrets), deterministic unit‑testing, and is ready for future hash algorithms.

Installation

pip install fygaro-webhook

Requires Python ≥ 3.8.

Quick start

from fygaro.webhook import FygaroWebhookValidator

validator = FygaroWebhookValidator(
    secrets=[
        "my-primary-secret",  # str or bytes
        # "my-previous-secret",   # include during rotation windows
    ],
    # max_age=300,          # optional (default = 5 min)
)

if not validator.verify_signature(
    signature_header=request.headers["Fygaro-Signature"],
    body=request.body,  # raw bytes exactly as sent
):
    raise ValueError("Invalid signature")

# …process JSON, return 200…

API reference

class FygaroWebhookValidator

Parameter Type Required Default Description
secrets Sequence[str | bytes] One or more active webhook secrets. Provide all currently valid secrets during a rotation window. Each secret can be a UTF‑8 str or raw bytes.
max_age int 300 Maximum allowable clock skew (in seconds) between the timestamp in the header and the server time. A low value mitigates replay attacks
unsafe_skip_ts_validation bool False Test only. When True, the timestamp‑freshness check is skipped and a RuntimeWarning is emitted on instantiation. Never enable in production.

validator.verify_signature(signature_header: str, body: bytes) -> bool

Argument Type Description
signature_header str The exact value of the incoming Fygaro‑Signature HTTP header.
body bytes The unmodified request body (raw bytes). Do not .decode() or re‑serialize.

Return value:

  • True — signature is valid and timestamp is within max_age (unless skipped).
  • False — signature mismatch, stale timestamp, or malformed header.

Writing deterministic unit tests

To keep fixtures stable you can bypass the timestamp‑freshness check without touching production code:

validator = FygaroWebhookValidator(
    secrets=[b"test-secret"],
    unsafe_skip_ts_validation=True,  # ← test‑only flag
)

The first instance created with unsafe_skip_ts_validation=True emits a RuntimeWarning to remind you that this path is unsafe for live traffic.

License

MIT © Fygaro — support: support@fygaro.com

Changelog – @fygaro/webhook

[1.1.0] – 2025-07-10

Added

  • unsafe_skip_ts_validation constructor flag that bypasses the timestamp-freshness check. Meant only for local/unit tests; not safe for production. Emits a RuntimeWarning the first time an instance is created with the flag enabled, to minimise accidental misuse.

[1.0.0] – 2025-06-19

Added

  • Initial release with FygaroWebhookValidator class.
  • Supports multiple secrets & multiple v1= hashes.
  • Constant-time compare and configurable timestamp window.

Project details

Verified details

These details have been verified by PyPI
Owner

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT License)
  • Author: Fygaro
  • Tags fygaro , webhook , signature
  • Requires: Python >=3.8
Classifiers

Release history Release notifications | RSS feed

1.2.0

This version

1.1.2

1.1.1

1.1.0

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

fygaro_webhook-1.1.2.tar.gz (6.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

fygaro_webhook-1.1.2-py3-none-any.whl (6.5 kB view details)

Uploaded Python 3

File details

Details for the file fygaro_webhook-1.1.2.tar.gz.

File metadata

  • Download URL: fygaro_webhook-1.1.2.tar.gz
  • Upload date:
  • Size: 6.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for fygaro_webhook-1.1.2.tar.gz
Algorithm Hash digest
SHA256 3ced65986b7422192c540c4b48fbfc50c4a9adcacf8add1f37ad460cfd93beb4
MD5 1e268c69551ed532611cc3476fb87149
BLAKE2b-256 adc8d0d9a447b7d93320c595815ee30165237a55e35fadf4535c922bee431a5f

See more details on using hashes here.

Provenance

The following attestation bundles were made for fygaro_webhook-1.1.2.tar.gz:

Publisher: webhook-python-release.yml on Fygaro/fygaro-sdks

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file fygaro_webhook-1.1.2-py3-none-any.whl.

File metadata

  • Download URL: fygaro_webhook-1.1.2-py3-none-any.whl
  • Upload date:
  • Size: 6.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for fygaro_webhook-1.1.2-py3-none-any.whl
Algorithm Hash digest
SHA256 850f10d27a15db8466f8fd2ecd21c1dff7b7e8b9b833e7c98d3337bdd88e6d9f
MD5 6d2bfe494c97b7e27a9050bbe20e282d
BLAKE2b-256 5542577da06a601112f27ed31c448e58cb6361fefb2ff25c8f24f56622f4d9e1

See more details on using hashes here.

Provenance

The following attestation bundles were made for fygaro_webhook-1.1.2-py3-none-any.whl:

Publisher: webhook-python-release.yml on Fygaro/fygaro-sdks

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page