Python Signature Verification
import hmac
import hashlib
from datetime import datetime, timezone
def verify_praeto_signature(raw_body: bytes, headers: dict, secret: str, tolerance_seconds: int = 300) -> bool:
delivery_id = headers.get("praeto-delivery-id")
timestamp = headers.get("praeto-timestamp")
signature_header = headers.get("praeto-signature")
if not delivery_id or not timestamp or not signature_header:
return False
try:
ts = datetime.fromisoformat(timestamp.replace("Z", "+00:00"))
except ValueError:
return False
age = abs((datetime.now(timezone.utc) - ts).total_seconds())
if age > tolerance_seconds:
return False
base = delivery_id.encode("utf-8") + b"." + timestamp.encode("utf-8") + b"." + raw_body
expected = "v1=" + hmac.new(secret.encode("utf-8"), base, hashlib.sha256).hexdigest()
candidates = [part.strip() for part in signature_header.split(",")]
return any(hmac.compare_digest(candidate, expected) for candidate in candidates)