Skip to main content

Python Signature Verification

import hmac
import hashlib
from datetime import datetime, timezone

def verify_praeto_signature(raw_body: bytes, headers: dict, secret: str, tolerance_seconds: int = 300) -> bool:
    delivery_id = headers.get("praeto-delivery-id")
    timestamp = headers.get("praeto-timestamp")
    signature_header = headers.get("praeto-signature")

    if not delivery_id or not timestamp or not signature_header:
        return False

    try:
        ts = datetime.fromisoformat(timestamp.replace("Z", "+00:00"))
    except ValueError:
        return False

    age = abs((datetime.now(timezone.utc) - ts).total_seconds())
    if age > tolerance_seconds:
        return False

    base = delivery_id.encode("utf-8") + b"." + timestamp.encode("utf-8") + b"." + raw_body
    expected = "v1=" + hmac.new(secret.encode("utf-8"), base, hashlib.sha256).hexdigest()

    candidates = [part.strip() for part in signature_header.split(",")]
    return any(hmac.compare_digest(candidate, expected) for candidate in candidates)