import hmac, hashlib
from fastapi import FastAPI, Request, HTTPException
WEBHOOK_SECRET = b"whsec_..."
app = FastAPI()
@app.post("/webhooks/ontora")
async def receive(request: Request):
body = await request.body()
sent = request.headers.get("X-Ontora-Signature", "")
expected = "sha256=" + hmac.new(WEBHOOK_SECRET, body, hashlib.sha256).hexdigest()
if not hmac.compare_digest(sent, expected):
raise HTTPException(status_code=401, detail="invalid signature")
payload = await request.json()
# ... handle payload
return {"ok": True}