CoreWebhook signature validation

validate_request

View as MarkdownOpen in Claude

A legacy-compatible signature validator with a drop-in shape for callers migrating from the Compatibility SDK. It accepts either a raw request body or pre-parsed form parameters. When given a raw body string it delegates to validate_webhook_signature; when given parsed form params it validates them directly.

For new custom servers, prefer validate_webhook_signature and pass the raw request body. Use validate_request when you only have access to pre-parsed form parameters.

Parameters

signing_key
strRequired

Your Signing Key from the Dashboard. A missing or empty value raises ValueError.

signature
strRequired

The signature header value. A missing or empty value returns False.

url
strRequired

The full URL SignalWire POSTed to.

params_or_raw_body
Union[str, Mapping[str, Any], List[Tuple[str, Any]], None]Required

Either a raw body str (delegates to validate_webhook_signature) or pre-parsed form params as a dict or list of (key, value) tuples. None is treated as empty params. Any other type raises TypeError.

Returns

boolTrue on a signature match, False otherwise.

Example

1from fastapi import FastAPI, Request, Response, status
2from signalwire.core.security import validate_request
3
4app = FastAPI()
5SIGNING_KEY = "PSK_your_signing_key"
6
7@app.post("/compat-webhook")
8async def compat_webhook(request: Request):
9    form = await request.form()
10    signature = request.headers.get("x-signalwire-signature", "")
11
12    if not validate_request(
13        signing_key=SIGNING_KEY,
14        signature=signature,
15        url=str(request.url),
16        params_or_raw_body=dict(form),
17    ):
18        return Response(status_code=status.HTTP_403_FORBIDDEN)
19
20    return {"ok": True}