OCI Functions starter patterns

oci-fn-webhook-signature-verifier keeps a small security boundary legible instead of hiding verification inside a larger webhook stack.

This guide exists because signature checks are one of those boundaries that look obvious until they are buried inside a bigger integration. The repo keeps the scope narrow: raw payload in, computed HMAC out, pass or fail made visible.

Open GitHub repo Back to projects

Why this repo carries the track

A short site-side guide before the proof layer on GitHub.

What it proves

A starter security repo gets stronger when it exposes the verification step and the audit output directly instead of hiding the most important boundary inside framework glue.

Why it matters in this track

It belongs in the OCI Functions starter pattern track because it shows a credible boundary with a believable contract: body, signature, secret, and a small audit payload the next layer can inspect.

What survives the first run

The verification result is the artifact. It makes the security decision and the computed digest visible enough for later logging, rejection, or replay handling.

What the first useful success looks like

oci-fn-webhook-signature-verifier as a first useful success, not only a demo.

The first useful run is a pass or fail decision with the provided and computed signature both visible. That is enough to make the boundary inspectable before you add a webhook gateway, database write, or retry behavior.

Use this when a signed webhook flow should prove the verification boundary first, then layer in auth, replay protection, or downstream event handling after the contract is clear.

Quick run

python3 - <<'PY'
import json, hmac, hashlib
from func import verify_signature
payload = '{"event":"invoice.paid","id":"evt_123"}'
secret = 'topsecret'
provided = hmac.new(secret.encode('utf-8'), payload.encode('utf-8'), hashlib.sha256).hexdigest()
valid, computed = verify_signature(secret, payload, provided)
print(json.dumps({"valid": valid, "provided_signature": provided, "computed_signature": computed}, indent=2))
PY

Sample output shape

{
  "valid": true,
  "provided_signature": "723b7093e99ad943b3c5f2afe02f66a1e0c2306c26a3cf76fc52be0173ff337d",
  "computed_signature": "723b7093e99ad943b3c5f2afe02f66a1e0c2306c26a3cf76fc52be0173ff337d"
}

Where it routes next

Checks inbound webhook signatures with a small audit payload instead of burying the verification step.

Use this when a signed webhook flow should prove the verification boundary first, then layer in auth, replay protection, or downstream event handling after the contract is clear.

Open full track Starter repo note Case studies

Oracle post · 2026-04-07

Functions Design Patterns

A practical pattern guide for routing, validation, and async execution.

Read post