Download the PHP package philiprehberger/webhook-signature without Composer
On this page you can find all versions of the php package philiprehberger/webhook-signature. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Table of contents
Download philiprehberger/webhook-signature
More information about philiprehberger/webhook-signature
Files in philiprehberger/webhook-signature
Download philiprehberger/webhook-signature
More information about philiprehberger/webhook-signature
Files in philiprehberger/webhook-signature
Vendor philiprehberger
Package webhook-signature
Short Description Minimal, framework-agnostic HMAC-SHA256 webhook signature generation and verification with replay attack prevention
License MIT
Homepage https://github.com/philiprehberger/webhook-signature
Package webhook-signature
Short Description Minimal, framework-agnostic HMAC-SHA256 webhook signature generation and verification with replay attack prevention
License MIT
Homepage https://github.com/philiprehberger/webhook-signature
Please rate this library. Is it a good library?
Informations about the package webhook-signature
PHP Webhook Signature
Minimal, framework-agnostic HMAC-SHA256 webhook signature generation and verification with replay attack prevention.
Requirements
- PHP 8.2+
Installation
Usage
Sender Side — Signing an Outgoing Payload
Receiver Side — Verifying an Incoming Webhook
Replay Attack Prevention
By default, signatures older than 300 seconds (5 minutes) are rejected. Adjust the tolerance for your use case:
Exception-Based Flow with verifyOrFail()
Key Rotation with Multiple Secrets
When rotating webhook secrets, both the old and new secrets can be accepted during the transition period:
Algorithm-Specific Signing
Use signWith() and verifyWith() to sign and verify with SHA-384 or SHA-512 instead of the default SHA-256:
API
| Method | Description |
|---|---|
WebhookSignature::generate(string $payload, string $secret, ?int $timestamp = null): string |
Sign a payload; returns the formatted t={ts},v1={hmac} header value |
WebhookSignature::verify(string $payload, string $signature, string $secret, int $tolerance = 300): bool |
Verify a signature; returns false if malformed, expired, or invalid |
WebhookSignature::verifyOrFail(string $payload, string $signature, string $secret, int $tolerance = 300): void |
Verify a signature; throws InvalidSignatureException or SignatureExpiredException on failure |
WebhookSignature::signWith(string $payload, string $secret, SignatureAlgorithm $algorithm, ?int $timestamp = null): string |
Sign a payload using a specific algorithm (SHA-256, SHA-384, or SHA-512) |
WebhookSignature::verifyWith(string $payload, string $signature, string $secret, SignatureAlgorithm $algorithm, int $tolerance = 300): bool |
Verify a signature using a specific algorithm |
WebhookSignature::verifyWithMultipleSecrets(string $payload, string $signature, array $secrets, int $tolerance = 300): bool |
Verify against multiple secrets; returns true if any matches (key rotation) |
WebhookSignature::parseSignatureHeader(string $signature): ?array |
Parse a signature header into ['timestamp' => int, 'v1' => string]; returns null on malformed input |
Development
Support
If you find this project useful:
License
MIT
All versions of webhook-signature with dependencies
PHP Build Version
Package Version
Requires
php Version
^8.2
The package philiprehberger/webhook-signature contains the following files
Loading the files please wait ...