Product
Introducing Webhook Events for Alert Changes
Add real-time Socket webhook events to your workflows to automatically receive software supply chain alert changes in real time.
By Phil Gates-Idem -  Nov 21, 2025
🚀 DAY 5 OF LAUNCH WEEK:Introducing Webhook Events for Alert Changes.Learn more →
carbon-verifier
Artifacts are distributable versions of a package. It typically includes the source code and metadata
Advanced tools
- Version
- 0.1.2
- Maintainers
- 1
Carbon Webhooks Python Library
carbon_webhooks_python is a Python library designed to verify Carbon webhook events. This library provides a simple way to validate webhook signatures and ensure the authenticity of incoming requests.
Features
- Generate Signature: Generate HMAC SHA256 signatures for webhook payloads.
- Validate Signature: Validate incoming webhook signatures to ensure they match the expected signature.
- Extract Signature Header: Parse and extract components from the Carbon-Signature header.
Installation
You can install the library using pip:
pip install carbon-verifier
WebhookVerifier
__init__(signing_key: str)
signing_key: Your Carbon webhook signing key.
generate_signature(timestamp: str, json_payload: str) -> str
Generates a signature for the given timestamp and JSON payload.
timestamp: The timestamp of the webhook event.json_payload: The JSON payload of the webhook event.
Returns the generated signature.
validate_signature(received_sig: str, timestamp: str, payload: str) -> bool
Validates the received signature against the generated signature.
received_sig: The received signature to validate.timestamp: The timestamp of the webhook event.payload: The JSON payload of the webhook event.
Returns true if the signature is valid, otherwise false.
extract_signature_header(header: str) -> Any
Extracts the timestamp and signature from the Carbon-Signature header.
header: The Carbon-Signature header.
Returns an object with the extracted signature parts.
Example Usage
Here is an example demonstrating how to use the carbon_verifier library to verify a Carbon webhook:
from carbon_verifier import WebhookVerifier
import json
# Initialize the verifier with your signing key
SIGNING_SECRET = 'aa76aee859f223451fd9bfb37ce893a0' # Replace with your actual signing key
verifier = WebhookVerifier(SIGNING_SECRET)
def verify_webhook(headers, payload):
carbon_signature = headers.get('Carbon-Signature')
if not carbon_signature:
return {'status': 'error', 'message': 'Missing Carbon-Signature header'}, 400
try:
timestamp, received_signature = WebhookVerifier.extract_signature_header(carbon_signature)
except ValueError:
return {'status': 'error', 'message': 'Invalid Carbon-Signature header format'}, 400
if not verifier.validate_signature(received_signature, timestamp, payload):
return {'status': 'error', 'message': 'Invalid signature'}, 400
data = json.loads(payload)
print("Received webhook data:", data)
# Handle the event
event_type = data.get('webhook_type')
if event_type == 'example_event':
# Process the event
print("Processing example_event")
return {'status': 'success'}, 200
# Hardcoded payload for example
payload_v1 = '{"payload": "{\\"webhook_type\\": \\"FILES_CREATED\\", \\"obj\\": {\\"object_type\\": \\"FILE_LIST\\", \\"object_id\\": [\\"46654\\"], \\"additional_information\\": \\"null\\"}, \\"customer_id\\": \\"satvik\\", \\"timestamp\\": \\"1721392406\\"}"}'
# Hardcoded header for example
headers = {
"Content-Type": "application/json",
"Carbon-Signature": "t=1721392406,v1=aa2273ab64bb9162e7e7983a9cd7ab9f90d686691b1fd25c577991ad42c53fc1",
"Carbon-Signature-Compact": "t=1721392406,v2=42a86d4083fee090b5a0800a91e82fb389f0bed4da757d07ee8ba97485194e59"
}
result, status_code = verify_webhook(headers, payload_v1)
print(f"Verification Result: {result}, Status Code: {status_code}")
FAQs
A library to verify Carbon webhook events
We found that carbon-verifier demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
ENISA Becomes a CVE Root, Expanding Its Role in Europe’s Vulnerability Ecosystem
ENISA has become a CVE Program Root, giving the EU a central authority for coordinating vulnerability reporting, disclosure, and cross-border response.
By Sarah Gooding -  Nov 21, 2025
Product
Introducing Socket Scanning for OpenVSX Extensions
Socket now scans OpenVSX extensions, giving teams early detection of risky behaviors, hidden capabilities, and supply chain threats in developer tools.
By Mix Irving, Ryan Eberhardt -  Nov 20, 2025