Worldline Direct webhook verification: X-GCS-Signature carries
base64(HMAC-SHA256(webhookSecret, rawBody)), and X-GCS-KeyId names which
webhook key produced it. Verification MUST hash the exact raw body bytes.
Several keys may be active at once (rotation): the key matching X-GCS-KeyId
is tried first, then the rest — any active key verifying wins, so a rotation
needs no cutover.
WebCrypto (async) so this runs on edge runtimes as well as Node.
Worldline Direct webhook verification:
X-GCS-Signaturecarries base64(HMAC-SHA256(webhookSecret, rawBody)), andX-GCS-KeyIdnames which webhook key produced it. Verification MUST hash the exact raw body bytes.Several keys may be active at once (rotation): the key matching
X-GCS-KeyIdis tried first, then the rest — any active key verifying wins, so a rotation needs no cutover.WebCrypto (async) so this runs on edge runtimes as well as Node.