API reference · Webhooks
POST/api/v1/webhooks/verify
Product availabilityAlgaPSA

Verify webhook signature

Verifies an X-Alga-Signature header value against a stored signing secret. Returns { valid: true } only for sha256 with a matching v1 signature.

RBAC · webhook

Request body

Content type: application/json · schema WebhookSignatureBodyV1

algorithmstringRequired
Only sha256 is currently honored; other values yield valid=false.
Enum: sha1sha256sha512
signaturestringRequired
Either the raw v1 signature, or the canonical "t=<unix>,v1=<sig>" header value. When raw and a timestamp is supplied, the controller assembles the canonical form before verifying.
timestampnumber
Unix-seconds timestamp paired with a raw v1 signature.
bodystringRequired
Exact request body bytes to verify against.
webhook_idstring <uuid>
Resolves the signing secret from webhooks.signing_secret_vault_path.
secret_vault_pathstring
Vault key (basename of secret_vault_path) used when no webhook_id is supplied. webhook_id or secret_vault_path is required.

Response body

Success response 200 · schema WebhookSignatureValidationEnvelopeV1

dataobjectRequired
validbooleanRequired
metaobject

Response codes

200
Signature verification result.
400
Invalid request payload, query, or webhook id format.
401
API key missing/invalid or key user missing.
403
Webhook RBAC permission denied.
404
Webhook, delivery, template, or signing secret not found.
500
Unexpected webhook operation failure.