What's new in v0.15.5
HMAC-only inbound webhook authentication
This patch hardens the BORD-535 inbound webhook foundation by removing the raw
webhook secret from every runtime request. New inbound webhook requests are
verified from the stored config secret hash and the timestamped signature header.
Highlights
POST /api/v1/inbound-webhooks/:slugnow rejects?secret=and the deprecated
X-Switchbord-Webhook-Secret header before the request reaches the webhook
processor.
- Webhook callers sign requests with `X-Switchbord-Signature:
t=
- Signature comparison remains timing-safe and scoped to the webhook config
resolved by slug.
- Tests cover valid signatures, missing timestamps, expired timestamps, invalid
signatures, duplicate digest/header formats, and raw-secret rejection.
- Docs and Settings UI examples now show signature-only requests.
Why it matters
Webhook secrets should be revealed only at creation time. They should not be
resent on every request where they can leak through middleware, logs, or support
screenshots. This keeps the integration path closer to production-grade webhook
contracts used by payment and event platforms.