每个请求带 header TiaoLi-Signature: t={timestamp},v1={hmac}。接收端用 webhook secret 验证
Python 示例:
import hmac, hashlib
header = request.headers["TiaoLi-Signature"]
ts, sig = [p.split("=",1)[1] for p in header.split(",")]
expected = hmac.new(SECRET.encode(), f"{ts}.".encode() + request.body,
hashlib.sha256).hexdigest()
assert hmac.compare_digest(expected, sig)