Verifying incoming requests

The Authsignal Server SDK can be used to parse and verify incoming webhook events. 
const authsignal = new Authsignal({ apiSecretKey: "YOUR_SECRET_KEY" });

// Obtain raw request body and signature header
// For example using Express (https://expressjs.com/)
const payload = req.body;
const sig = req.headers["X-Signature-V2"];

const event = authsignal.webhook.constructEvent(payload, sig);
The Authsignal SDK requires the raw body of the request to verify the signature. If you’re using a framework, make sure it doesn’t manipulate the raw body as this will cause the signature verification to fail.
To prevent against replay attacks, the SDK will error if more than 5 minutes has elapsed since the time that the event was sent. This threshold can be customized by passing a tolerance value - the time (in minutes) after which requests should be rejected. 
const payload = req.body;
const sig = req.headers["X-Signature-V2"];
const tolerance = 10;

const event = authsignal.webhook.constructEvent(payload, sig, tolerance);